djvu | d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87

Resubmissions

01/05/2024, 16:33

240501-t2ylqsde36 10

01/05/2024, 16:27

240501-tydgdsbb3x 10

Analysis

max time kernel
1049s
max time network
1050s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
01/05/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
Size

788KB
MD5

c641ebe0860ec916c15348c0b66bb458
SHA1

d1bab1c3e79dccefc7da9e812288d0b5c9649c59
SHA256

d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87
SHA512

b898ae8305ccb4bdfbb6f456c7bd442b1166a0347920e2356673ca4995f439c54e08c2242ddabd0493cab11e841ee4704aed2f4e93a6ccd5aa4e1d347a1b1d4f
SSDEEP

12288:mAO0pTRoaZ/6t4rYY85QHsVRfKm3+OAGzUKkCQy3Hv/f8O:mkpVp/jfvQAK+lGzUKkCQ2/3

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://cajgtus.com/test1/get.php

Attributes

extension
.bgjs
offline_id
Z6iwSvCoAt8T8K2ROxecuXHPNHv7eDyWrc8Ks7t1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://cajgtus.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0863PsawqS

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 15 IoCs

resource	yara_rule
behavioral1/memory/2108-2-0x00000000049C0000-0x0000000004ADB000-memory.dmp	family_djvu
behavioral1/memory/3920-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3920-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3920-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3920-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3920-19-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4092-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4092-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4092-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4092-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4092-79-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4092-77-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4092-80-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4092-81-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4092-82-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Renames multiple (184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 4 IoCs

pid	Process
3396	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
3800	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
4924	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
1592	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5024	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bee40334-d103-48cf-b25b-53fc9fa0972b\\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe\" --AutoStart"	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	api.2ip.ua
1	api.2ip.ua
2	api.2ip.ua
7	api.2ip.ua
8	api.2ip.ua
34	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 1252 set thread context of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 3396 set thread context of 3800	3396	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	101
PID 4924 set thread context of 1592	4924	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590550349550238"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3920	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
3920	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
4092	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
4092	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
1988	chrome.exe
1988	chrome.exe
4640	chrome.exe
4640	chrome.exe
3800	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
3800	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
4092	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
4092	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
1592	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
1592	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 2108 wrote to memory of 3920	2108	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	78
PID 3920 wrote to memory of 5024	3920	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	79
PID 3920 wrote to memory of 5024	3920	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	79
PID 3920 wrote to memory of 5024	3920	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	79
PID 3920 wrote to memory of 1252	3920	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	80
PID 3920 wrote to memory of 1252	3920	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	80
PID 3920 wrote to memory of 1252	3920	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	80
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1252 wrote to memory of 4092	1252	d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe	83
PID 1988 wrote to memory of 1428	1988	chrome.exe	85
PID 1988 wrote to memory of 1428	1988	chrome.exe	85
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 2652	1988	chrome.exe	86
PID 1988 wrote to memory of 3584	1988	chrome.exe	87
PID 1988 wrote to memory of 3584	1988	chrome.exe	87
PID 1988 wrote to memory of 4820	1988	chrome.exe	88
PID 1988 wrote to memory of 4820	1988	chrome.exe	88
PID 1988 wrote to memory of 4820	1988	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
"C:\Users\Admin\AppData\Local\Temp\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
  "C:\Users\Admin\AppData\Local\Temp\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
    "C:\Users\Admin\AppData\Local\Temp\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
      "C:\Users\Admin\AppData\Local\Temp\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad275ab58,0x7ffad275ab68,0x7ffad275ab78
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:2
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=872 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:8
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 --field-trial-handle=1796,i,15913938073297289861,9133522806134005495,131072 /prefetch:8
  2⤵
  PID:2536

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4988

C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3396
- C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
  C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3800

C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4924
- C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe
  C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SystemID\PersonalID.txt

Filesize
42B

MD5
240abdb09f8cf5669822ef5638fd6abd

SHA1
330eb780f463974bfe224bf81d21c654ce85623e

SHA256
88481e8b71928dafca2dce871f158074f5e0e906c7bed32ab2bd55e4be17a9df

SHA512
733ae237d36111317ea8bc2c38f377914f0adb1c16470224fd33d37c1af107cf82360acbe7d1aa67c4bc1161fc0949538f57856502250c42f835c914ca220f49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
99a0d432fc76891e10101274130c11af

SHA1
ede5f93cc5e517dfcd3b4e0bfb4576fb68806817

SHA256
c37f6af3f2edb4df584a83758d6c4cb225c6727f5ef17f0e22eaf18b2437c94e

SHA512
3be97294f3dd5470b9f8852865c8befcd540164b719c1e8045ba5e8cec2afb93d5a0bc04cadebc29a38ba1a030d48b206e1ea87ffd6b8cd1d7879cff9f91bb93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5e69092aa5437d942b2d271a5bbbb04b

SHA1
765f3d0f10267d560897ea3949e8f74d561b5611

SHA256
10bbc4dc2d80f554188505c0635f20454a053ee59d60448eb7046edbfd0942fd

SHA512
eafaa63a74f62eaa963555b26a51fb509709b7e6b5308be1243dcb1490551d2637afd03d4f11f7ab6fed76252ad83098af6eb54507c30b55a14011eb78dcd7f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
e77c566d66e2ef4d4c6ed69101e845fd

SHA1
0e044620bd58d96a27488c6b5f38618325f01202

SHA256
2166fcd633e97cb96976f7e2655c42a2e47c58024dc55687d14c138770a41252

SHA512
df7343764de1adc3c618d7eea99a4566f83bd942c247a3d78924946f083afe0fc50c1c9caf4e9fe389554d060546df0f904ec9cfb60e135866672c7ec90acc94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\758ce78d-4437-47b5-8ad0-6f3be3592f5e.tmp

Filesize
130KB

MD5
d71b78a567c0b83279aec5ce4ce731fe

SHA1
65bf51824f97b4b6c99c4fc6aa58f89929606124

SHA256
aeee6690283a4fa4592157249667372751d070b0c9d8fd57828b25bdc0cbec27

SHA512
c205eababd146de0af15605632dc661cd9d7caa36cec40fe97de10a1311eb05429ca66d8c6f577dadae0c799ee30e6ec34cebd004b25940b2396f6a4d76c126c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b46562518af21bd099c0ed23c86708a1

SHA1
dd3f283429307deb64de70e78e24ea1ff26c80d9

SHA256
4bb1ccceb2089e73e681275f42e778a669023fcd64b6a532907416675082ced0

SHA512
01591a6bf1e15b6465125d841cbdf0fd2fd3c65f0c3a9bf7c14992c9c5c35badd579caef35ff531879a4feeee67bbeefa2d44f29208174d80d722a2370f80a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
08c74703f250c70188bafe021bf29cc6

SHA1
ae5bbd29120c6efde64f983de75ce417d13368f7

SHA256
e56411461d36f43f5323d9de94410ca159405096ff9626c095cea36a466cb403

SHA512
e0d48e5cface5ddb6cdc2bd66aa3e4c64edec56cb2961a2f6937ac505e04d269c6f7c12d06bdfa764a7069fd85c7407742a05fd85b2aa54a9ea803593935b8c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\da683cc0-d333-4865-bbf0-a02c9366f7ad.tmp

Filesize
356B

MD5
8d3b8e167a970a9c105cc7a28816b4fd

SHA1
72c8f7ada6194708ffc9b03db5f837221406884b

SHA256
8d1ac4129db4bc5cd5c48b723c0992ac0463328cb4df10d035c91400c783e884

SHA512
58d48537abc4eb9f303a3d326b1149f6418fcf0b51bbe67b70f309bdf3eff5c3f322a1f28d3ef6ff4ea65fcdc488612671b2266977bf0138d56b07d258ed20af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
857292063596432a018667dc237d1a5f

SHA1
b455e9c1e3e4ee755b87495c7a5be9bfeb89cd1c

SHA256
0d3620983ce4c899782827e1b3b1710171d7946dbc8c97f25f7a96ecb7e1937e

SHA512
f483a8401d4ccfc071b9a161ee3ea5250f66d954d2b06110ca3ec32b21f4c9eaa3b5bc0f6e658460e0ac7063d11793c69d161b5da5d6566b2605c87620d08e12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
6ecaaa1a3eaeea5cb8df2ce623930e7c

SHA1
73a0d18fb853b69682d924309a0035c3e454b1f0

SHA256
fd81c79c82f21ceebe668143a436ae827b6e0aa9784477dbb5277306783d552f

SHA512
06c9e4948f768c3e2e7b957885c0e730de2ef6ba4ff1643c4b4247c66d807153183b383e9925d41947100ade75c38cf6bc614a83e272926c2fa03e4857bdf3e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
088e7c4447460ec8e32cf4a21ad455af

SHA1
394787e77601bb5065d3b3ac0e8bdbd39934bbfe

SHA256
2faed16d80ba9555b1de96b5a030f80ca01ec98f8032570692ee336ee4eeeb17

SHA512
1fa757da3579136010576a1d76e3e10fea4da3afbd748f2c1700d52485c6924df94fa5d02a109faf692d6b0cde495d4c53255ecbf6958b500a88dee563e24ff2

Download Submit
C:\Users\Admin\AppData\Local\bee40334-d103-48cf-b25b-53fc9fa0972b\d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87.exe

Filesize
788KB

MD5
c641ebe0860ec916c15348c0b66bb458

SHA1
d1bab1c3e79dccefc7da9e812288d0b5c9649c59

SHA256
d8e513805340e6ebde9c9077b2294a88b595a793c37bdf8932cfd0f1df035a87

SHA512
b898ae8305ccb4bdfbb6f456c7bd442b1166a0347920e2356673ca4995f439c54e08c2242ddabd0493cab11e841ee4704aed2f4e93a6ccd5aa4e1d347a1b1d4f

Download Submit
memory/2108-1-0x0000000003180000-0x0000000003217000-memory.dmp

Filesize
604KB

Download
memory/2108-2-0x00000000049C0000-0x0000000004ADB000-memory.dmp

Filesize
1.1MB

Download
memory/3920-19-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3920-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3920-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3920-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3920-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4092-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4092-80-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4092-81-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4092-82-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4092-77-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4092-79-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4092-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4092-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4092-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download