4c6c4fc0ca10c78f6cdf3307f3f82eca66a8b207e40c4378de31853c9fec3c22

Analysis

max time kernel
1559s
max time network
1563s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.0.18-162988-Solaris.tar
Size

120.8MB
MD5

f6d6f6d04d32480e1e511422b8920c1e
SHA1

ba3fa49463ee4edd69ffb2eb8926358afe7ce2b5
SHA256

4c6c4fc0ca10c78f6cdf3307f3f82eca66a8b207e40c4378de31853c9fec3c22
SHA512

0bb90056cc56dbc7e674a45422fb0775e8dbdbda3c6d77263cfdbbca960ce6f49ef932f65ebbbc7d5a54c71111da028dc01681840b4b1959ed3ee6174e1c2441
SSDEEP

3145728:u/aCn99VhHtZeKOu5Na4VAMD1mzFUuIlYF5S5ICRhU6f+PfoY:uX99jHtsKO2U4VAMD1mzYES5rYm+P

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
264	notepad.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3060	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2140	chrome.exe
2140	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2660	rundll32.exe
3060	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	firefox.exe
Token: SeDebugPrivilege	2480	firefox.exe
Token: SeDebugPrivilege	2480	firefox.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2480	firefox.exe
2480	firefox.exe
2480	firefox.exe
3060	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2632	2804	cmd.exe	31
PID 2804 wrote to memory of 2632	2804	cmd.exe	31
PID 2804 wrote to memory of 2632	2804	cmd.exe	31
PID 2632 wrote to memory of 2660	2632	rundll32.exe	32
PID 2632 wrote to memory of 2660	2632	rundll32.exe	32
PID 2632 wrote to memory of 2660	2632	rundll32.exe	32
PID 2660 wrote to memory of 592	2660	rundll32.exe	34
PID 2660 wrote to memory of 592	2660	rundll32.exe	34
PID 2660 wrote to memory of 592	2660	rundll32.exe	34
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 592 wrote to memory of 2480	592	firefox.exe	35
PID 2480 wrote to memory of 1704	2480	firefox.exe	36
PID 2480 wrote to memory of 1704	2480	firefox.exe	36
PID 2480 wrote to memory of 1704	2480	firefox.exe	36
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37
PID 2480 wrote to memory of 1856	2480	firefox.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Solaris.tar
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Solaris.tar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Solaris.tar
    3⤵
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Solaris.tar"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Solaris.tar
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.0.1989074578\1579406137" -parentBuildID 20221007134813 -prefsHandle 1280 -prefMapHandle 1272 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6874e4b2-841e-4356-9270-0251743c4391} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 1344 106f1258 gpu
        6⤵
        
        PID:1704
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.1.171770331\2102344066" -parentBuildID 20221007134813 -prefsHandle 1544 -prefMapHandle 1540 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0351451f-6ac4-46b8-9c27-9faeabae53f4} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 1556 f3eb558 socket
        6⤵
        Checks processor information in registry
        
        PID:1856
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.2.2089980810\2076448577" -childID 1 -isForBrowser -prefsHandle 2032 -prefMapHandle 2028 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b92d14-c06c-4739-9745-1d72b8c08a5b} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 2044 19397e58 tab
        6⤵
        
        PID:2464
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.3.1530279921\504387176" -childID 2 -isForBrowser -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64349a8b-d650-485f-b704-b61df6a388b4} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 2504 1bd34658 tab
        6⤵
        
        PID:2164
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.4.1729927194\501114471" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 26526 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0da792f2-c90f-4ab8-a518-dd084c6a307f} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 3672 1e323c58 tab
        6⤵
        
        PID:2700
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.5.832754922\2032524341" -childID 4 -isForBrowser -prefsHandle 3784 -prefMapHandle 3788 -prefsLen 26526 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ded47fcf-4dde-445d-a03b-03755bf7d13c} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 3772 1e89b558 tab
        6⤵
        
        PID:2856
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.6.1757240596\46799819" -childID 5 -isForBrowser -prefsHandle 3960 -prefMapHandle 3964 -prefsLen 26526 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {760bc187-02a3-4f6a-bba8-34a5f2ba1bb7} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 3948 1e89be58 tab
        6⤵
        
        PID:2924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\VirtualBox-7.0.18-162988-Solaris.tar"
1⤵
PID:800
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\VirtualBox-7.0.18-162988-Solaris.tar
  2⤵
  - Checks processor information in registry
  PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6769758,0x7fef6769768,0x7fef6769778
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1400 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:2
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1456 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2156
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f617688,0x13f617698,0x13f6176a8
    3⤵
    PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3684 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4020 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2544 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2356 --field-trial-handle=1368,i,7353881713064753851,8588983162349174804,131072 /prefetch:1
  2⤵
  PID:1660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2720

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\SubmitDisable.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:264

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ReceiveImport.rmi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e81c4fa736229697c5d957058106769b

SHA1
884fe9536165b365eeb91472daa6a97fa409d963

SHA256
85cb73e9574ef255083fcc804f102a0cfdabe10da2ffbc49d7cd4e6443603136

SHA512
2f6fbe7ea74f65090cb63bf5785a9d07ec246d65a5d1f83f5e4961657e659024b51ede74274fe745f6397032c0506bbf2537236dd26824bd44dc744cd1bf008a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c945f2573ba3efae4e57d572bf77bc55

SHA1
1dc45a71586c06f3dbbe243e4344a66346e178aa

SHA256
675e61748423ace002a50726599cdcbc68c537f9a83501169cf2899d56862200

SHA512
f9a863d031f488dc0ae46ca07f0dc3bd357d801d50736c4343e5d5d580e5340abff3f045008c3c2f70241d5b72e8389744c7457377b0eb9d989d980b9c29f367

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2dc9eac927069fb9a555ff62ad6b96de

SHA1
19e9d5f251cefb2695926f7a08e55bf8a317b003

SHA256
76b0dc4e15f3ca294cb0ace305b09c5517aeb4f163fddc69fb0f10b1e9a6396c

SHA512
2cfbe96d141cacf3574c577c69e69f5d099dabd40132d0723be9cbdf2a66ec3d6fcdc837ba8e9c1738e27cf445102b00d5047b94a07ec7afbdc99605e8b29885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
c6a1fcb3fc9618a64f08d914ed68f562

SHA1
1f003414cf4817fb8cb124b08802bf240f658bb5

SHA256
d31effd5d2423e58c535eac97de293c66c352d787a541fd699bf8afcd2e1a2d9

SHA512
688d3d4c3233111f196d1071d5158ba014f38209ab4036f5130da5e8e13f48197888b0613b1dada14b8c351fa3135dbd41c2e48d6fce28793dee0b2b6d4dc9aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
8ad7c2562bbfee5e328972e1214edd7e

SHA1
544abecf5f77b87903a9f3ed6f2b8384713646ba

SHA256
25dc911499dc5cbe51cee60d7ec7319eaaeb538fd29fb04c77bb99feb8447a54

SHA512
564d6921fed5a287b0606beecb72ba5284c7df639f7e4691b0671d1d5b8375a2b998c14c5d87688d15af969cc4cb5a975085433917ff5520bf4f4c637eb8054e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cc6268ea-5399-4046-9db2-0f042ec9bfd7.tmp

Filesize
155KB

MD5
a55a4f5eaaa670187f782ecd2999d06a

SHA1
2047af6715030d407a21667e746423de6172644e

SHA256
a8578b4d6a24bc70472d777faa2c5fda008de784d84f0d4a06a663f2caf80e11

SHA512
eefdcbdaea86ee6a8e52f4c3151f8eff5df27866912dc207446fd3276460a5bdd718ef51ce1ada52fa010f6e1f1d68d2cc72ed025b7b2e003fee13598cc683f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b0ea7aafe841064893b3018754a0ed01

SHA1
ce2f270154ae206d7de20449a4d505ff2569b93f

SHA256
6ec4d7eb51d1495c068b4a6913c89a34303bc44ea0bd1b34d2fb31caaab7edc5

SHA512
7f588b53e38f5fab9be5404102e6e4c084a134fe9a9025ce39a4cda590ddc3460e554ff02e52d04f5948b3e2e13c7b032b21d9a6140cfd35985c9827db5c9600

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\12292a4c-78e3-476e-8ae3-990fc5b79e36

Filesize
11KB

MD5
855b86efa097233d89a6bbb53aa053b9

SHA1
433440ed822778cb3dc8f72fe306bf1b0bb2dc37

SHA256
84e0dc5bdbfd781ab3370e85ff9de1712c37ea2ec43ca011c894d4af73039ac1

SHA512
fb73f6bd5147be071f1f85ec434b41ba9cbafeb571ffbbd1aadcb5d31fc294cbe48da980c6572a31d8a1d332a0ee9f01bc3276a1d53c345a829b529f6308895a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\45502c79-a22f-47bb-b5a5-16e013ae71e5

Filesize
745B

MD5
ea848f0db4f9d14e8391a42723c05d67

SHA1
53656a0ee17c6c6bed64c116cb9b03cf2f179436

SHA256
97a5b933d67e96d006a4ede31d32d0557d0645391cb61cb72ff22f58d61107c5

SHA512
373a1c587f243788bb13b735042c9ab5c7e3b02d46c06ccb19335be1cdd5e43444c1ff19fd693eb6766e560129598aa22e1e4cbc794d3b3584a2c168c35c0ffb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

Filesize
6KB

MD5
b6e9d9bd5c5c074c19efd93774af20b1

SHA1
c5b967ab851ef90e56a2172ab2ccecd39b00f04c

SHA256
df2b5ab1013b5d0a3f6938ca6b4495512cda50e18368faa184507d90ca1a4c81

SHA512
e81b677587d8a361087322a2bbeaeed35c46096fe71b8ac4f2a0912256b92ad0aa37dfd62952222219f89d93492aa47e4bff1e152c743d805d5e5fd5a473f903

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

Filesize
6KB

MD5
88dcfb68ed519326d7ac0b292375ef86

SHA1
411b0a01f8742c6bcd4610e9f05ef2d19cf47573

SHA256
371e00f2c42fffbfc2fa0f500d1350035da4a2b6c6bb37a64c427af91b84a2eb

SHA512
d5dcdf12ebad2d49251eab8151f08e8b06e8343d5398ee4f35b0d1812901b804456a7d023b3d46ee0e3a80ac7d87a6f3a2af9d6911b986e2c101ba130470d098

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1017B

MD5
752f003d2a9c23c37dcb92efbfe972f0

SHA1
dd3f5e14681c4a309d35e697540625e6d81f4f44

SHA256
c1448f3d18f03523786df98a8bc2054796e4d12156c9097566dc429a46762d01

SHA512
a5d9b207ba08893e0cfed7536bddac7f5e274c69f4f6d5fa20d92e09e3fbf2e8f9f9b7383438507de79437d4af1312e0e7f0b266855889d6c001639f15778f95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore.jsonlz4

Filesize
698B

MD5
39a9b65f0ebe723e69ca67fd633d9112

SHA1
b14f21c4f17779824b9d72ac3a29e5c29dcfe971

SHA256
def8d149f47a5940f5a2a097066bdfa91cbc00e37fb7891d6c516ba3f06f7958

SHA512
4b132fa7cd350755648d7b14388669c8e929d08ec72de91e7f373439b788887b0fc5e99824b9007579234b0091fa428e003df1dc2cbf836b85d39ea10d64daca

Download Submit
memory/3060-452-0x000007FEFB590000-0x000007FEFB5C4000-memory.dmp

Filesize
208KB

Download
memory/3060-451-0x000000013F090000-0x000000013F188000-memory.dmp

Filesize
992KB

Download
memory/3060-453-0x000007FEF5190000-0x000007FEF5446000-memory.dmp

Filesize
2.7MB

Download
memory/3060-454-0x000007FEF3960000-0x000007FEF4A10000-memory.dmp

Filesize
16.7MB

Download