Analysis
-
max time kernel
626s -
max time network
637s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 03:46
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
strrat
giveandtake.mefound.com:8082
-
license_id
khonsari
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
true
-
secondary_startup
true
-
startup
true
Signatures
-
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133416424094080709" chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3704 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chrome.exechrome.exepid process 2896 chrome.exe 2896 chrome.exe 3880 chrome.exe 3880 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
chrome.exepid process 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe Token: SeShutdownPrivilege 2896 chrome.exe Token: SeCreatePagefilePrivilege 2896 chrome.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
chrome.exe7zG.exepid process 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2124 7zG.exe 2896 chrome.exe 2896 chrome.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
chrome.exepid process 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe 2896 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2896 wrote to memory of 1460 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 1460 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 3852 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 1624 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 1624 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe PID 2896 wrote to memory of 4512 2896 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://filebin.ca/7daZAsXNH927/SHIPPINGBILL.PDF.zip1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd3dd9758,0x7ffcd3dd9768,0x7ffcd3dd97782⤵PID:1460
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:22⤵PID:3852
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:1624
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:4512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3320 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:208
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:1816
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4636 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:2584
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3780 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:4948
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4044 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:2376
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:1744
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4896 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:4108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:1612
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:3992
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:3640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2432 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:1080
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5700 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:1612
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:3884
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5416 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3880 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2328 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:1580
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2380 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:184
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5684 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:3116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6048 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:880
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3288 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:4276
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5696 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:12⤵PID:3776
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6484 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:4328
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6772 --field-trial-handle=1876,i,5147849643716627213,18116380090183969184,131072 /prefetch:82⤵PID:1700
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3068
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1264
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SHIPPINGBILL.PDF\" -spe -an -ai#7zMap16145:94:7zEvent169701⤵
- Suspicious use of FindShellTrayWindow
PID:2124
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\SHIPPINGBILL.PDF\SHIPPING BILL.PDF.jar"1⤵
- Drops file in Program Files directory
PID:4400
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SHIPPINGBILL.PDF\hs_err_pid4400.log1⤵
- Opens file in notepad (likely ransom note)
PID:3704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\49a39f4c-028b-48d8-aad8-f722a25f7ba3.tmp
Filesize6KB
MD555068acc06fe11c7b94688d0639e321f
SHA10d49ff4c8242f7fca4e3d4bb83fd3a87139d9d7c
SHA25661bec06418ce1b7823e6eb3078b226ad9a716e1ec1e54838fa44df4897a9c59c
SHA5129f944bbdba45427d30444d7b3ca4ecfb34f409049c8db3dc2004d7f1e990ba2f6745ad6078490e0a5597be40fa10d753768886fbdc8cc20c125a0855cc9e477b
-
Filesize
183KB
MD57f529c2ef4e90c2fe7b09ada4f85f4f1
SHA158b9e4de7b4a1e549a17cb471541ed330a61781b
SHA2562ebaeac31ed41fbe24fc07bc3b0fb4043422a790e356a5f38c82b125e3451827
SHA512bcf6ee7711e5dbf1943dcd133e675006d574e3959761cb1007e69b8299c5d3a8435324427b402f65b0feb3374b625e2959fcb321b67ddbaae36c5ffcb74dcd0e
-
Filesize
312B
MD57550d692bb19415f35ad15b7f0121b53
SHA1afec26f2e2b3239c7c5e107bc85f671300173157
SHA2565dafdd58719743d1b3e35eead533dfb9cfb68805d38466a52be1983165f42ab3
SHA5122b76cc3b628fed31adbc50fa082e75c1cf94f496a36038263e7012f4872c23a07fbc03042db47a3400b98ac3016f20b563d8ba253a62b36ac4f2caecd9047456
-
Filesize
1KB
MD5ce3decd63bef83441b2be6d40179cbb0
SHA1b790f37547316d319988e7a6ab1091a787d8b33b
SHA25682f5ac70d849cac25caf96c5c187477292f6242ce554f9d51df5231ea4298abe
SHA51219d583782269c6b4cb9f92fd8b2a1052f8fa5d953a2fffe8d2745aad6941df38891a8d383b4a393c6a06c7a8a595519ccf6ca8c65e99cd3bbde55dc267a120ac
-
Filesize
192B
MD59d6abbaaa08adb8924479efb7c70fa2d
SHA172551722d6e6e200168f0675ac9fe7b24ec2cf2c
SHA256d0485e5ab74c22eb6d3859b249fd5a7c0f3dd3354635d7e2dee716b7ecd21cd6
SHA51242dfd9e1c50a83799af2ab95556c6b80237d638ff1e866dc4351c2fd9895ef4a4190b483e157b2308171078f34c3533e6d1d18ae6258efc29a1eec93759a8fbd
-
Filesize
2KB
MD526cb095d659fea8ce2d99f6c22ecccc9
SHA142a18c390df858f5fe80e253a960264650d1b9d9
SHA2561bc0b58ea7ce22928ed010deb620715e054db603735508cc64e95fe10c08ec70
SHA5122882f468aa67d385cff7e6861e01908f482e263da4eed026a83009c180e643b944c8bab06bd6e97bc76e44b742dd007787231de9df014e0b43a699eaf332a5c1
-
Filesize
2KB
MD5fd8836e228488b1c20885b1a349610b6
SHA1a8f823785465c830b30156efb4de45b17b8b3d8e
SHA2561a1d8d83c53093a3ae91d8e2081f33586c71aea49f25be2acc426b340c14be24
SHA5123f09040945966a6af3dde11fef25bfaba1de45d6ea705f437b1adde40f505ff69cb55174453509088284c340d491687892beb9632370bbecfd4fc54c7fbacda4
-
Filesize
2KB
MD5ed8d54851ca5841754ab56b32c2ddad5
SHA1aa757157abe6fd4dbc59c182174f408a49fee0c5
SHA256d30d2ac80fa24f82949c90868bc962e4cf350c261450b7844f59f1d1a80cc632
SHA512ac8037731e712b83dfee63b2116dbaba78ce3ebb792377edee483d6f83c7e0d83852aff406204ea72257017c3531e4bd6fa22d5696659989051b638d396b57e2
-
Filesize
4KB
MD51b84ea2df293eaf09e2c546837cc5d7f
SHA1a917563a096ac39938546f87953a259c886fdd75
SHA2568ac78fc7162354e7b25670d62a1dcb4354ff33d9dc2b4e846da7b5a0137d920b
SHA5120e22747e109b94a211c20069e4850090d133da77ab371e5cb0386239b89738e972cbcc0096932ad7a7caa03caa3142fb7bb61d0280115b0d84f2e16f2e97d98d
-
Filesize
705B
MD5608f5b86ba653376422bd56ffda271bb
SHA1b89ec21cbe9f37f25f933646ef5604165d376df7
SHA25650f29ae613063c27f52391a5bd1b7ebf4080d43d60225398cb09aed9fb8f3483
SHA5127cdc21182c04217372205b09776def3bb3225b89be3ced1b0e3b0ae9a1aa9368bbb11c6d42974e4f99f23245aa894c852bf7e89846bdfb0d778b5f59daabf4d7
-
Filesize
538B
MD569a6109148ea8e27ed2c0e348d0865dc
SHA169180db850065267b314071e8e995e014d6a2b07
SHA256ae3fb2c1bd6022c8e508f29ca07c7094a7d533cb6e315ac8c5a182c037df708d
SHA512d3b4b8cdc33b8676c250dce9500897b22d78383fa7cff7f2781431745f20c57858f62eda62873ce30237165e1f3d13fc0a214b1682ae2208b6145e4fb181c098
-
Filesize
6KB
MD5323332043cbe244518a73da72d4795e0
SHA110c256afbe7bcf0ff69ab4661ce1f9894de3161b
SHA25604282d7ba57ab62cbb553d4bab2ab69f9b63cf0af8dd98190e0400ce345a2ec0
SHA512595b61acfe492bb6bf994368cfc5484057ba6b201e80b5311039524baddfa59417193dd5d2ecdcdaf5a0a8f6c4789ee63126f1f85459d1f616bbdbaba90358fa
-
Filesize
6KB
MD5b7210685b84be9518f93a3bc7c15af94
SHA145e13bcc99ecc63abe3c7575e08aa44c64c2e9e6
SHA256d95e2cd62c77cefdcbd53f99efe2a50a95a9e029000bfdc3a6e2417a24ff9a6a
SHA512fabd13390af18922055a4f14807400e529e2b1eb65eae81253e983f0823c1781b0a858386119075e95834807fcdf102e87214068b316cbb70f0394d19f6b45ad
-
Filesize
6KB
MD5a3ac7bee8f6a573e60bb55e84b809137
SHA1cabcf7c2f4aeebf0f567bbc8d5460fca83f82d3c
SHA256480cd07e96a50c5d4a490807fbc216059769af9987e3b310f80b2e12fdee6afd
SHA5128d28af3d23a85d662430f2d86ecd8290dca4a85cf5a759acc9eca311efb6f9e49369a1a9d76b4e3337378f979580c3f90f9d0359863c791a9ea2c12d5c270ae6
-
Filesize
7KB
MD5ee2f921c1035cf9cbb40c223b2427f80
SHA18268e92b20f6f39c60e1e8b282858351a1395444
SHA256cad1e836ee8b8fedb3c3c9df6e88371300127d34458f665b26aad1a7f1ae7528
SHA512da52fe08d43c0a5b776afbb69690a1ff858ad887a5ee1f85f8fe888bc9d9c5232f0c2792ee7c554c88d8cf5280da6115094d289a29aec03bad07dd81ca04a01e
-
Filesize
6KB
MD5b6719ffb72580eb6039b4a3b24ad4735
SHA18c09eade1ed715ece64c74435926ef44435b558e
SHA256f446eb9c55e11d6941466855d90eef728cb20caff368e43ea89f71caf49a5497
SHA5125829169aaf60b080e511c10a659c0aace89f268a6e24f4fe2a3281b3a4ca98de28fe45b3b5d06d5e1c4db98ec3f54e8b2115fb1506bb87344f2d0261c4cf259b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD50c87866f90ba9526d30a583af79f3d6e
SHA19fbfb652b0be9397c7605974869bba9e58d5d001
SHA2567d08c7a8f351fbc28dfb5e4f930d85a71bb1ca1576d056773e27ef1de0ed52c7
SHA512ed849c85681593818b6b86fd1734133e3898bd25e0c3373603ef494932c7a6aaebf2dbaeddb094661ccf38d3f5aad8e29303703245d4b71ba7e2d58bf8f83c57
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5f9d04.TMP
Filesize48B
MD5cebf0f3a8940d3491fe9a4a5da109018
SHA1ddf064c84246d2d0e1c6100f3a90b4bd30b1a910
SHA25683c02f694654d36157b330945e00c296ec17e1e06f79075202a36510120a0319
SHA5129777edcdc40d7ed42106efabb3240b3ea66aa3f01e1dcdbe8611a80ffa068025c983d53e9d6a149b8c42f460e1dd88f29a5ba721200ceceb70642a524d2434cc
-
Filesize
101KB
MD5d90d5d5dc496c7f53d00e358a19de80e
SHA1f06a7a439b5e9e6ff0ef425ff3b995d019f05aff
SHA2563efa045f1a280951d814922357b68c94de63a3fa0669ff33d94e341c096dd429
SHA512d5c4a4478a8ca2ba3130f4ca0428bfe98fe200d64b451781c0e2cf7045856b7a8637a9deaf6c51f7203fa21e035324e1b0f26738788595a0936c41ec54e29fd0
-
Filesize
101KB
MD53f3fdd3cd9cc51d65100dd9452fdda78
SHA1f654283242455316e505f9dd446ca1315a40a2de
SHA256a0ec08484be99d6c3e8b031d0e313d3908023f34cf9b7fc6a0572c71a8c9b292
SHA5128458417b7899d8484f4d87aea1740ebf87ab3d91964cf068c5b28448d13e32aa374418fb1d96822799a0d155fab3470ddafe29bbc96d9bb8decab9c83bc31d22
-
Filesize
101KB
MD535b87e8f0140187f2bc86801822e9f42
SHA1ebafcb3f539c4e8bf819af955c348b986dad2397
SHA2565e857c131477dfa08f1ec2ee975c5a6eb8baef0c1aeb3b936c2234518b992f5b
SHA512842e1ec25e49c79efefab9209c7c93f118de14638df23196c11d4076621e9902636daaf300ab36e5acd276ddede0d5997f4582deb72348ce13e57ad8bcdbe7f0
-
Filesize
114KB
MD5ad9fe0c2dd46592c8cfd27708b4efc70
SHA1665dc25e8b02daa8f9621763f4580607a0bc6708
SHA2560b468b55aed0903615fd5ff53717e9ee4ff269d9763482ce80998a0307222118
SHA512c852fe84aa8b051380dc5a2e0ebec3b61cd2e9cf3cce5623c894007a4d826be37a42c1a05a5647323e925103bcc618a3d488d90ae85697bf8036b37b557eec6b
-
Filesize
114KB
MD508ee85dde5831e6663d5df615e93e436
SHA18121109e9b2ef1164b6faad82d7e2e7d5ac6f50d
SHA256e03e1e4440c05c1800416a7e8b1d38cbabf097b6c3e38fdd5bec67d22e51118d
SHA512367852b7518b91b171d37c4cc043dee8bafd312acd3e530e4f66acb2e7d71a8ea794a587591d38b37e9ad993f64346a02c5f8f36434158b2fda4a4ba7c55c219
-
Filesize
113KB
MD54d33e04b24312c7c00ad2176d3c9993a
SHA12c39cff65504137360dabbb19a2393e9d664e0b3
SHA256ad9ca8fd3dfe28ca08ef17be0d6f944ab0dfe6d5156de5936e195156b30badd0
SHA512a062818afebf58810812b38a7292346d5910661b278a959f9048f2613d830840b4b7745bc3de2f0541263ac585f77badb64b936266ee7086ac787419dd91c755
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
202KB
MD573fa8a40c71f0f63666091ccf380c4c7
SHA1c0fe14133cebc149f92e3ec6a562627b95350b93
SHA25665c7a9781457f7fadb81eac625dffa8ba1c90ef46bbcc0a6a01e1638cb8495ee
SHA51207f1d6b26aea0b006169d42c806658683450697838db51499ab39fcf9bee0b06f292531055b55fb0a722fb82a43d0637e060fe97b2aa0a1977729b35b94bee31
-
Filesize
202KB
MD573fa8a40c71f0f63666091ccf380c4c7
SHA1c0fe14133cebc149f92e3ec6a562627b95350b93
SHA25665c7a9781457f7fadb81eac625dffa8ba1c90ef46bbcc0a6a01e1638cb8495ee
SHA51207f1d6b26aea0b006169d42c806658683450697838db51499ab39fcf9bee0b06f292531055b55fb0a722fb82a43d0637e060fe97b2aa0a1977729b35b94bee31
-
Filesize
209KB
MD5d3ff400fe2e20f494e39a5a5a8e5c1c5
SHA166c40bff1bf77749b887f93de72043ecf09cda16
SHA2560c3a1b79b6e8d372c0e29eeb56ae8814c630d2575e5bdf0d9d1ec10fc9a8385d
SHA51289922923f0593a9733931fe7d715b2cd8762dd6b40f476e31cab4fd51f04bed814f3276a923278ebafb6fdb8e684d27aeee3b1492ee8ab4239c188e1a6f4420c
-
Filesize
17KB
MD5e1a9edcc6a78003272b353e04946f476
SHA1a2678c0bb039a8c4564a298324605af53526ebe2
SHA256d04bf609de17476b81383645969206244f0686be96de03ac3a94ee0d56cc0e69
SHA51256e3799a743e27524044146a46148b2616a55aa6cb3c5a0b80047acf13740cbd173d87d00f7fc6ca26bf766013890e656212ec328cbff53685e0ab87a62bd69f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e