blackcat | 609172a21642cdec38beda5a23225cf21b11de9da29e94f5f3abe3b79f9b7386

Resubmissions

22-05-2024 15:10

240522-skftxsfe43 10

22-05-2024 15:06

240522-sgpyesfd46 10

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe
Size

2.9MB
MD5

817f4bf0b4d0fc327fdfc21efacddaee
SHA1

8917af3878fa49fe4ec930230b881ff0ae8d19c9
SHA256

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb
SHA512

b0f8c0f3e18765606db9c29199b617f5a757c5b12cdddeac1e91deaadef790b1134eb3c009b0eab36096391d93c8fa6abcb983426bc506ae79a63cadb7ea954b
SSDEEP

49152:rAnCsMZjVpVbl4D5GzNMFsl4UROAUc1y32ZxJFi4NE/RgaJ2w1M:rAnCs8pVblGyNM+l4UxUc1BhFyvww1M

Score

10^/10

blackcat ransomware

Malware Config

Extracted

Family

blackcat

Attributes

enable_network_discovery
true
enable_self_propagation
true
enable_set_wallpaper
true
extension
7954i9r
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/336eb50d-ebf8-436b-937d-ec075de46e7f/419ef3f950d9f346cf86db56db453539dcd51567ea871728e78dbc9918c7efeb >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1600	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1600	vlc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe
1600	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1600	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2800	2636	chrome.exe	32
PID 2636 wrote to memory of 2800	2636	chrome.exe	32
PID 2636 wrote to memory of 2800	2636	chrome.exe	32
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2404	2636	chrome.exe	34
PID 2636 wrote to memory of 2696	2636	chrome.exe	35
PID 2636 wrote to memory of 2696	2636	chrome.exe	35
PID 2636 wrote to memory of 2696	2636	chrome.exe	35
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36
PID 2636 wrote to memory of 2992	2636	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe
"C:\Users\Admin\AppData\Local\Temp\f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe"
1⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1244,i,13194357019765776932,8371592786071332507,131072 /prefetch:2
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1244,i,13194357019765776932,8371592786071332507,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1244,i,13194357019765776932,8371592786071332507,131072 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2148 --field-trial-handle=1244,i,13194357019765776932,8371592786071332507,131072 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2156 --field-trial-handle=1244,i,13194357019765776932,8371592786071332507,131072 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3196 --field-trial-handle=1244,i,13194357019765776932,8371592786071332507,131072 /prefetch:2
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1156 --field-trial-handle=1244,i,13194357019765776932,8371592786071332507,131072 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3400 --field-trial-handle=1244,i,13194357019765776932,8371592786071332507,131072 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3520 --field-trial-handle=1244,i,13194357019765776932,8371592786071332507,131072 /prefetch:8
  2⤵
  PID:1156

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2612
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.0.1534705282\2041771226" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a06ad5c4-ca1b-4460-9583-3b60512d85eb} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 1304 124f4158 gpu
    3⤵
    PID:2828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.1.313184653\21970229" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6472a8de-9eb8-493e-8c26-eb39ae6c52a9} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 1496 e6fe58 socket
    3⤵
    - Checks processor information in registry
    PID:288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.2.655959466\509783513" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 21031 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2870a4c-1915-4ca3-aaa2-0aaddd380576} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 2108 1a29c358 tab
    3⤵
    PID:2476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.3.1643802761\1150958980" -childID 2 -isForBrowser -prefsHandle 568 -prefMapHandle 836 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be85cdee-7901-4f38-a6aa-685729cdea1c} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 1668 e71058 tab
    3⤵
    PID:940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.4.974122063\1389500681" -childID 3 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d11d9b90-bbcd-49dd-8f33-bd75d43e6566} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 2996 e62258 tab
    3⤵
    PID:2052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.5.2061593476\92438220" -childID 4 -isForBrowser -prefsHandle 3812 -prefMapHandle 3808 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f99f799d-95c7-4150-8960-8ee20c3072fd} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 3804 1eefd958 tab
    3⤵
    PID:2552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.6.1527970448\1275888748" -childID 5 -isForBrowser -prefsHandle 3940 -prefMapHandle 3944 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f47dc593-493d-46d5-99b7-b093eb82a4e2} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 3916 1f84e258 tab
    3⤵
    PID:2576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.7.1338171133\961375396" -childID 6 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f48a77d1-8cbf-48c4-9072-dcb923e9d352} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 4100 1f850658 tab
    3⤵
    PID:2536

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\GetSplit.m4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\74517fa4-c8f6-4ee4-b5fe-bf55345edb2e.tmp

Filesize
277KB

MD5
b058261612aabf1d570aa3d84d665c58

SHA1
b603a4741840658f824329cda045829b789c183b

SHA256
c74bd27bac008d7a4428c3565ee7442ac0b1d4fca89505d957ca4074bcc9cbe9

SHA512
f39a779bed03c8d4fc3459a9120f7f7b84c3b8136f655291dacb10778ca528013147249eac9e812e069157d530b12ce5dd4ecdb78123ebd7c859ca1b38fca944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uu0g08su.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
3c35205500c315104ba3a48179e19765

SHA1
5f178e99daef631d03193fb822ed2d98da18cada

SHA256
2d9c60ec8c2eccf813a3f12579daa79c533953179c5776487a3d41ee6f97393a

SHA512
918d56b3ec44d9fe2b9cf2d96fa49eb3af564ed3aefee4f2d524ac1058f70c5e233cf3bb7247ed3c8a785b034bdc85bb2d800405d417a6e4d0decabc034e3d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0d675f3e04a7d743580532d9aebf4ae7

SHA1
c2803372c2e318a228fd4cc94e60950238bfbb12

SHA256
ccd0df424c660699bc62d42710eb935b2c608b559cb9243dcc240342dc78b93f

SHA512
c855b28a9a294e687c499479e91a859ee84209c6ebfd2f5688de85e9f957c511e22dca19119c7bd3a173117e06dde3578cac2d8dc09ddccffab06c52ffa9cc7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\8c0bb180-6979-4cef-8e84-feef87b359a0

Filesize
745B

MD5
d160b9da2ce854ee2caef495990a088a

SHA1
95e1745088facfbd871e8f1f76bf945d1c911c7f

SHA256
383c9e88b4b0873e159edb3ef1867381b3ba56c4b1ca6c5569d6eb37fb3bb0b3

SHA512
ee680a030cc8f1cf6a899d9bd882d1d742a19453b30eb735e9c0afab02bf7d92b0a9ed0583ee247176070bdfc7d18545c712f78806c4237a95f976c18ed07503

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\ada585d6-7448-43f5-8b1b-0485e2e570b2

Filesize
11KB

MD5
cc597ecab4b2a083b24107bafd4c192d

SHA1
6871ea687ecb41dd5525bec7a7ce3b309d1aedfa

SHA256
76057034acd0b3acd65ffd394360cda0b7a3529c9949ab744d46f5a39977299e

SHA512
7956bdfea8f4085f8fe1d8310a789ef62ddb8cd040cbbae8de5bba2b51d92921a9f5045f68ef9399b96debe84f462dd19f1e7667b19041197c5e2059d82447eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs-1.js

Filesize
6KB

MD5
957d271d1c0750116039bc78b98e42db

SHA1
c39b0062a7103b21a8f6f6aa4089e2b2a2c5ecdf

SHA256
8e58eacd0dc15be346877acaabbb1b0f61ec986ea46aa6e3e0ed04b94bc9e94f

SHA512
4fea42ae899f5aaf60e59e6335d6adef63ecc60fee80fe2b00401963346c41e2f9ad8e161b758587e05f596b430be295ac3dfc1f7fa7ea678084722bd673ee8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionstore.jsonlz4

Filesize
833B

MD5
a15a2be355763051fac672ef33a95a84

SHA1
e93080bdf81b0e5996967a6872a6cc7e05acc340

SHA256
8de4dd20c26a95cd828142a7e24c5997ce90ee1c34c2e446a2101b971c91e464

SHA512
c992d962f011043007d316ffc8fa4698c2024f767d1f3ae3f7dd7af50e99823f769c5bfe8f739d088153d0319a78948e42b779546816e07a8aa803414c73d8b3

Download Submit
memory/1600-317-0x000000013FE30000-0x000000013FF28000-memory.dmp

Filesize
992KB

Download
memory/1600-318-0x000007FEF6A70000-0x000007FEF6AA4000-memory.dmp

Filesize
208KB

Download
memory/1600-319-0x000007FEF5D70000-0x000007FEF6026000-memory.dmp

Filesize
2.7MB

Download
memory/1600-320-0x000007FEF37D0000-0x000007FEF4880000-memory.dmp

Filesize
16.7MB

Download
memory/2228-0-0x0000000000400000-0x00000000006F3000-memory.dmp

Filesize
2.9MB

Download