hxxps://www[.]evernote[.]com/shard/s561/sh/057ecb0f-eecf-a4fb-9b23-e04e152dfd90/qCKVAxk5fbXMMmQE9k_e86-FxLpwlnxnS4r60B4nd1zGikqwuIDcypQSkQ

Analysis

max time kernel
300s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.evernote.com/shard/s561/sh/057ecb0f-eecf-a4fb-9b23-e04e152dfd90/qCKVAxk5fbXMMmQE9k_e86-FxLpwlnxnS4r60B4nd1zGikqwuIDcypQSkQ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633514220144220"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5944	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5612	vlc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
5548	AcroRd32.exe
5548	AcroRd32.exe
1964	chrome.exe
1964	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5440	OpenWith.exe
5612	vlc.exe
5748	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
5612	vlc.exe
5612	vlc.exe
5612	vlc.exe
5944	NOTEPAD.EXE
5944	NOTEPAD.EXE
5612	vlc.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
5612	vlc.exe
5612	vlc.exe
5612	vlc.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
5440	OpenWith.exe
5440	OpenWith.exe
5440	OpenWith.exe
5440	OpenWith.exe
5440	OpenWith.exe
5440	OpenWith.exe
5440	OpenWith.exe
5440	OpenWith.exe
5440	OpenWith.exe
5612	vlc.exe
5548	AcroRd32.exe
5748	OpenWith.exe
5548	AcroRd32.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe
5548	AcroRd32.exe
5748	OpenWith.exe
5748	OpenWith.exe
5548	AcroRd32.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe
5748	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 2776	4400	chrome.exe	92
PID 4400 wrote to memory of 2776	4400	chrome.exe	92
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 2896	4400	chrome.exe	94
PID 4400 wrote to memory of 3812	4400	chrome.exe	95
PID 4400 wrote to memory of 3812	4400	chrome.exe	95
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96
PID 4400 wrote to memory of 2912	4400	chrome.exe	96

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.evernote.com/shard/s561/sh/057ecb0f-eecf-a4fb-9b23-e04e152dfd90/qCKVAxk5fbXMMmQE9k_e86-FxLpwlnxnS4r60B4nd1zGikqwuIDcypQSkQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae9d69758,0x7ffae9d69768,0x7ffae9d69778
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:2
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4940 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:1
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5828 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2556 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1232 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4648 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1888,i,7182142571706734804,16684118451675736871,131072 /prefetch:8
  2⤵
  PID:2496

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5440
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\message.html"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:5992
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4756
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:1904
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D4CFCE229C2D0F0E4FF900BB5155F384 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1260
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=544CB473D22142D72C603E0E263C43CA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=544CB473D22142D72C603E0E263C43CA --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:5408
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=121FAB2BAAAB7AACB6F2C58B2B80514A --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1764
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=905CA2003BC36A2441282D3307CA453E --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5692
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=149B0342BF961BD564D26B8F577C6EB9 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:652
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:5492

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ResetUndo.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5748
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\message.html
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:5944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
194fe5b99e920f95f4cbfe972725de31

SHA1
cc8b9b64a255477d456e9b1b10e875d63bce3437

SHA256
8eee039b42e10c1a0203b3562a7fbf825b50292cc0b980a53f7846013c9086c7

SHA512
47a1f84f6205e42bb5e997a656ebde124ff9b31489a8b3c44421a72e97964fe234522c1772272312d520a54d40e502a37a37375914b09b84b18b186e349ccb84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4ba6e0b2eded3aabd44151514f1bc2a1

SHA1
6db119c219e97c80faf8a6ada62a947cce7efe9b

SHA256
360288717cfd389752ac15fd741b338637a4d2ef493693053b039e6856f036c0

SHA512
cc000a82f551b8b0cfe6fb7ba0a4cd4bd69c84816438cf4bc7c3ac6862a8506b05682f6acd4be4ba9a0b4d008a50b1f58506926eadf4051e4fa4b0ae39f28b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ffb12d74109a734e0cd617c2769a195a

SHA1
880ee32284f023a83ecd848d8380b1a7211af22f

SHA256
14e9a9f1d4c0c73796a3309402e1d6da94cd19601fd3ce59276f519ae550bef3

SHA512
543d1ad8d34d22b5c3989fa2b341bc1cfe3e33511ce2d18bd1f73b3fc9966444ed2b1fa392a84d4f5e753f1c6a680a9aba401eb8fddf60e27d6b5b2f7ad5043e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
869B

MD5
7a3c1d1ac0c148fe3f166eb089062a63

SHA1
e345582c6a8950a1930d33b8e4b5dcfe4578074c

SHA256
b323773082bcbb51e14491db1a00882d5bb17bf47d81089bbb18d2059104e37d

SHA512
22cccfd2df0408f955cc76ee5e9dd4bd647ed04a54f23fe38d66eef9e2c8f7e100ae1db84d047670199ff50f76357007ec17aa33c8adaf2d2022706c6d8c8052

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
01ab8f8feb8ffc8ce60576342f5e153b

SHA1
2d66b502042674a9cce640d05dfa1d0aecbc5038

SHA256
e8e1c0a80d09211649d2510da0bb970b2687160e0d41086633434c3d6ab0bb94

SHA512
c7bc67d72efd4695dc1d0e9cb0574d971fcaf130b45f93604571d2544dbce0258233767c25f765d0b2aacdc59566b0a054c578041c52f91b6dd8a53b1fbc29c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e3aabef5a70a26703450a26dd7861e72

SHA1
abbb30354701ea8ccfce90c3128916fd09400dcd

SHA256
c27d695cb9275f61fc0db4c55b41b2e467a20c323102b670d4362758f7a0e645

SHA512
5112e9cdf40bebf2df69e485aa46d5b2b3c5c05dc6ce7d534eb3b2e31071746f5ea9d7e7d8c38626848bfe46ee7d102d0cf7918cb31a41a4d50909b48edc3431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
49f9d729d78c4c80cf9309af00322bfd

SHA1
b1b2fbed9c22cf08874bff23b1b7496a1f2428af

SHA256
0f1c189cfbd39711f2eb877ecc5600ec5725109c7ea0d3ab2d7b302ccfca6a8f

SHA512
d797922c0bdf3225e5443edeaeda6151eea2adb7f8e5983b93c2a82f5fd0981a8ac89237a5efdc1188d4cf905056fd470b0ad46d3a51ed3439640005cc55a715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
beb78ec25437ebeac0b10aae432ae609

SHA1
3f23581dd612c07fa9cc8385ab04d76a53a3e577

SHA256
4e9d22ab790b0bf4a7d0a95bed50ef67d7b4feb9c6078643054e23de9478f837

SHA512
5ee96bd5c93976ae327d29dcbaa9f84c71d4c1ab8dd736972ce53df87031db9c380ec70f2449e5d367b8f5c5dcaeba6746237f8b2d9a757bb4cf761258c399e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
876d77229ab4527acac24f44017f4457

SHA1
e770cdb8acf48fb5f051e21747ce1c5e52c72b22

SHA256
0574d5f871e01ebcfd4e52891f67b30c764b8f3a43672fd69a2b7df44a0f1937

SHA512
fc0cc79e6f859f4476496680502d6b138d701c82e7a5258ad08068ead224cdd31f177ef5f8f033735c3a6362b88608bdff27a0fee98c15d5d9de25b8d7d6ae7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
85bcc7966d1d5eb489ce7658a7bf44c3

SHA1
4e5dbbaf679ae4c2c7f4a34f54abcdbf83adfed1

SHA256
3df2d01b9d0379f684cf7583141f7efa366cd6c9e1d55fbee469b25285cc46d1

SHA512
f2fe58deeb81989de2d8e8e9079ea2b0f70494e852f692873af507e4d4b7f549117feb282c3e575b148dba466d1388230707d39bc8af9c31c818277893a38d12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
919421ebf2632a9ea02e2038ee28520d

SHA1
01fc2ff791b24a9d7e0be56e8e4c2d5da728923a

SHA256
1885fe02dade44b6783e3a2f56eab47802ac5105f4bfeaa65e6f8916a8cae5c5

SHA512
0c7fb1b1e4631f35d99b3740a5c408515baaf1743688b756d50a8c61cfc327462b448771096fe8555be5c59d8ca218ac1b499edcf542c072c1fc6eac8f73937a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\message.html

Filesize
521KB

MD5
ce583f4fc3c2506ff63bf3712f51859b

SHA1
9b16c1e84d4b6ae37573b01f5885047c9a464585

SHA256
03728240e2adcb4d7f8f666e94690a61536ac3db6f17899794860f2efc1468a7

SHA512
c851f7bf90030ada41daac26b9c14158f954639e0aaeadeb4d6fff95b28c8c7a8c78b61c02834664101747f8b5989bb7b1f5b6ac47f35c369239ed00607fa6d3

Download Submit
memory/5612-145-0x00007FFAE47E0000-0x00007FFAE47F1000-memory.dmp

Filesize
68KB

Download
memory/5612-153-0x00007FFAE3E00000-0x00007FFAE3E21000-memory.dmp

Filesize
132KB

Download
memory/5612-148-0x00007FFAE3E90000-0x00007FFAE3EAD000-memory.dmp

Filesize
116KB

Download
memory/5612-146-0x00007FFAE4750000-0x00007FFAE4767000-memory.dmp

Filesize
92KB

Download
memory/5612-142-0x00007FFAE4F60000-0x00007FFAE5214000-memory.dmp

Filesize
2.7MB

Download
memory/5612-143-0x00007FFAFA9D0000-0x00007FFAFA9E8000-memory.dmp

Filesize
96KB

Download
memory/5612-151-0x00007FFAE37F0000-0x00007FFAE39F0000-memory.dmp

Filesize
2.0MB

Download
memory/5612-154-0x00007FFAE3DE0000-0x00007FFAE3DF8000-memory.dmp

Filesize
96KB

Download
memory/5612-157-0x00007FFAE37B0000-0x00007FFAE37C1000-memory.dmp

Filesize
68KB

Download
memory/5612-156-0x00007FFAE37D0000-0x00007FFAE37E1000-memory.dmp

Filesize
68KB

Download
memory/5612-155-0x00007FFAE3DC0000-0x00007FFAE3DD1000-memory.dmp

Filesize
68KB

Download
memory/5612-149-0x00007FFAE3E70000-0x00007FFAE3E81000-memory.dmp

Filesize
68KB

Download
memory/5612-152-0x00007FFAE3E30000-0x00007FFAE3E6F000-memory.dmp

Filesize
252KB

Download
memory/5612-150-0x00007FFAE0B80000-0x00007FFAE1C2B000-memory.dmp

Filesize
16.7MB

Download
memory/5612-158-0x00007FFAE0840000-0x00007FFAE0A71000-memory.dmp

Filesize
2.2MB

Download
memory/5612-161-0x00007FFAE4F60000-0x00007FFAE5214000-memory.dmp

Filesize
2.7MB

Download
memory/5612-169-0x00007FFAE0B80000-0x00007FFAE1C2B000-memory.dmp

Filesize
16.7MB

Download
memory/5612-147-0x00007FFAE3FC0000-0x00007FFAE3FD1000-memory.dmp

Filesize
68KB

Download
memory/5612-144-0x00007FFAFA2A0000-0x00007FFAFA2B7000-memory.dmp

Filesize
92KB

Download
memory/5612-140-0x00007FF681CF0000-0x00007FF681DE8000-memory.dmp

Filesize
992KB

Download
memory/5612-141-0x00007FFAE5720000-0x00007FFAE5754000-memory.dmp

Filesize
208KB

Download