ffcd284dd3f33ba4861dab647aaab24b929fc582df1759e711fcb1695960a0d4

Resubmissions

05/05/2023, 19:10

230505-xvkyvaad7w 6

05/05/2023, 19:06

230505-xscjpaab7t 6

Analysis

max time kernel
181s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Screenshot 2023-05-04 8.24.42 AM.png
Size

27KB
MD5

00f570c756caab8c20ecabdc996c69d3
SHA1

88d2f10c67a4566478e9b2ceddd52cac9b5fdb3b
SHA256

ffcd284dd3f33ba4861dab647aaab24b929fc582df1759e711fcb1695960a0d4
SHA512

f5013ce3427447a2107a205a4f8c85b764e5dfe9543381881aa4ea6afaf8967c7ed813ebc5de06f602940b054f2edbe6d11858b8858c25d6dab921232ae3f49d
SSDEEP

768:gAAAAdwBgjVNFfZhHhzG+sXrwTOw9KxLgzZV4Kqc9Eu:gAAAAdwB4nFfZhBO7XbeZ6KquEu

Score

6^/10

bootkit persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Phobos.exe
File opened for modification	\??\PhysicalDrive0	Phobos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133277872329581144"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4928	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
3892	chrome.exe
3892	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4180	Phobos.exe
4180	Phobos.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4060	4456	chrome.exe	91
PID 4456 wrote to memory of 4060	4456	chrome.exe	91
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 3168	4456	chrome.exe	94
PID 4456 wrote to memory of 4528	4456	chrome.exe	95
PID 4456 wrote to memory of 4528	4456	chrome.exe	95
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96
PID 4456 wrote to memory of 1020	4456	chrome.exe	96

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2023-05-04 8.24.42 AM.png"
1⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5a889758,0x7ffc5a889768,0x7ffc5a889778
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:2
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3304 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4672 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5060 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4704 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3460 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4624 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1840,i,8396491734309125323,14252877123708738577,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1536

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Phobos.zip\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4928

C:\Users\Admin\Downloads\Phobos\Phobos.exe
"C:\Users\Admin\Downloads\Phobos\Phobos.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:4180

C:\Users\Admin\Downloads\Phobos\Phobos.exe
"C:\Users\Admin\Downloads\Phobos\Phobos.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:2080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x404
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7053e8c581dc8285f253f9b0cf8ec73c

SHA1
0b82e436aebe94fbd789bd80bf803b1fc37d1ca2

SHA256
d0de1cd1feee89973e08e43d45eefd86b21ce033ef4fe58d0c686bc14c0ce4f4

SHA512
6c55b65736c496283ac45559edcb8536c61f1249daceabcac869f8536a44a2b10ee76f61508c0fa8c9df4c1b2781feb74d289b469f17296c7491fb9b551a9d5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e75cf94627ff056a43ea3314bf83ea25

SHA1
b5059a2b52574b7e441af1111836cece7c122e92

SHA256
d5f191307f2fe9b54bf4612ca5f833b59ddaf327514b445024b457202efa21c0

SHA512
e902a726bbdd6da7d4bd18189f66cd9f1c245d0aa3be3cd5bc4e56b47d8fe9af6f48f9b8593e26f9c6dd6d1fcc335c69fac4966169c0e95c53a50d5e46115de5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8f55aea0156c134b717c10380b421689

SHA1
4a9362edd414e0ca5024ea28cf0e59f59b74486b

SHA256
e146a20503d1f455ae6ad6e036d1d76b29bfc925c1c29dca1a1bf84d4d453762

SHA512
0c7fc8056daa478bbf09466b23b48e284b1aea829e3d2a8757f957d39a576a61f238826d23e82b9a9fd1aec5f8f85ac64561d25e54890a4ec787d45d523f092d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
337e8db4950f49e7c4e5ce5ca9c67144

SHA1
3df7fcf93b09bf0407cb6c548cad0bf5c2af785b

SHA256
5aea5c5b2541fb551ed83b975c8e3bf57a0ce458f11637bfb12fb6e46bcc12a0

SHA512
e127f202fe62e926dc64c7b3d9991ee4ab368fa2077d1cdcf5d23019bba713ff7c036aa21bd6ee9ce0c067d0d24686001d2e12f8756a7ed614c2ec3150cfdcbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bd79299c745e4138a3f84ccd8b47c2e9

SHA1
b24ef6a903d0440b753b540e4efe3180ffce5a3a

SHA256
6a2853908b86254c887d5479b9a84888ab478601f4e501baae3112f049414046

SHA512
f42095203c8bc2d864fafb9a49fcea18c5d141e00cdc9c9dd96660dc81f278d851f86fdcf730d82f8aa69b34147688e1196c5bc9080bd6157cf2f5598f7dbbca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7bbf32dc68a2b3ac0514f5511186ca6f

SHA1
44cbf57cc8f6c3ed5e9963bb462ee5212240bef4

SHA256
ac804e20aa4d23bea5979e243b7a922b633cc1f1007aeb08e9034b1156788ea7

SHA512
131721775b0da126d49d0badc0ad6a820dfe293cd388f88c96eb9ccba32ae1464b61a5f55286b2c56ec229c3a1e5a03aed06bbc3b30d7acddf35df4798d56bee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8f2c92a3c2be36d22a5aa86d4640a419

SHA1
cce567bd3d7135a316035b91fff14b20fff8ec22

SHA256
e875cd2f567bf22993c4bda535783f481a9eb98cad150f9b47579bfae38333b2

SHA512
fe0bda049a6dde8ba4297da8fde7fda1031087cca67fb10510386cb4660f52a5e177816bce8640255ac068bab9bfbbed419d5dce46efc8f4f106a4b036630bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ce5946eac0c510aad5052f08c090fd2a

SHA1
588ceafb41a88acad886ab9913dda760d57bb481

SHA256
51adf2b74ca65f7fd2d55fc6d90a99b39bdf7e649dbf9a7948c84cc16048c467

SHA512
1281b6f710aa7b7fee6f11bfb7b596a741145252bc785821ab3486b8172c36b2c85a620275fc19603dbaeeb38f9eef05dde8a115205673376fa18e09c5cf573b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5999a85118c72f8d5d229763ebb093a4

SHA1
15c883d4783371f797e660d0b7150059617ff1c0

SHA256
3682e169b411d2750633bdd96b359132cb7ab05a78ec7792270a13972b4bf763

SHA512
7adba74919de2a25c234f77cf298e18b8f7f2e51739fae1324c3bc3ad9680cfb70805e642f53a1ca9add6b303e0b171f96900805297892c5e0cfc9d11372dcf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a5ffbac0148940d17325c7fcd0a8cd43

SHA1
94f3f18c8037155244b1fe52474c03a540fbeda6

SHA256
a1310abe5a63a73101268afea0aa0eed62ee276d0e4e9524321e6a6d242d56b7

SHA512
166cdfc9d52111a5ec197b23b3d5599a5a1f8aeb6663a88bb559eb0c45eaa9006ad6011b85f75b9c68c240ab62b000e0683ca93fa18b7f5f143297fa7a4a42cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
45313b99c514c7a9ae4aed5dc570117f

SHA1
834045d9df579c6f483cdf07b8eabaa7d911ef29

SHA256
34dfd06e2becf57e7321f837e0efa506cc3aa5d459c43ddf5df5fbdadd859af2

SHA512
b33d296aa26cedec6dce1606b7046328d3571e436c830850d9f7794060145e009f01f3b28519d6e32fd6fcab4b63c80a06f6c3bec006501b124abd3ceb8ed4a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
148KB

MD5
e43ccd7e65d0494e5b73910270b027ba

SHA1
3939e8499094419da2991f2c2d44f191f96e3ba9

SHA256
aac060e6a7a99679099b389bd94d0fbfc183582618dc53aa8d1b7235a20b8aa6

SHA512
2e8894f0bd0fe2696a02757bc0bb8b15a1d1e2a36d34394fd29435bb9c9b2c6f7426b06ef1b72b805b637b35e692a65bc6e8618bdd8f0da8e2ceecc1e0131c55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
c81dc22160014827ee385f9e15684d9f

SHA1
4f6d11ddd4bc259a243fcc5762f6b4d0f0748609

SHA256
5a4712978a7f27fa048443f02629bf93736abf8dc441d1c651f1cc4599fc7624

SHA512
24e16c0112539e075e83d12c9f525e5e6d0545f4c4aca3cbe30a14abfe1e606206d902d95b02a7f1402cef742bb244452538ecf3c3772d16be51df70ec412e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57af3b.TMP

Filesize
96KB

MD5
3075e8f7902aeed4976375c11999285b

SHA1
8343a1630c8ee3ffe2e29f840d7741144e665c5a

SHA256
d96e1144ff712db69d5572dfd4d5b56fb0bb70db243eec416b12976e80d4a39d

SHA512
0b95c09b7afd8e27213bc45dea395b00f5899725c3b849264afb1ab8c2ad77aa4e88fd7b7547bbe06493b01abc42e8cbe83694d03f3fc47efc4dbb7cd4c361a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Phobos.zip.crdownload

Filesize
9.1MB

MD5
17e3c9c71e1b96f637bc236cb8161b01

SHA1
10360deb8fee504a631693d765aa9e2643d5e92e

SHA256
91839e47f89463b0648ad1b3e53fa9c5aa44b38f87367de4afc408308de1465d

SHA512
463edca0d52f65953ebe80020ee4531882e77d8864855361b2b242193b418a2a6eff360e75b32ce125ba1fcdf9353b740587b387b1484736dec4d8eb78121f39

Download Submit
memory/2080-436-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/2080-451-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/2080-422-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2080-449-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/2080-424-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/2080-425-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2080-427-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/2080-438-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/2080-434-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/4180-420-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/4180-435-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/4180-437-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/4180-433-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/4180-426-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/4180-448-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/4180-423-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/4180-450-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download
memory/4180-421-0x0000000000400000-0x0000000000F2C000-memory.dmp

Filesize
11.2MB

Download