chaos | 2c1d1c6cc6fea441623d1cdc663656f171fa66d92809a157915c2ada06a121cf

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lime.dll
Size

7.8MB
MD5

10c074a00debe4a97608e78cb36247ab
SHA1

779125eb7faef7e549eff67eeb55c177a8dfbc70
SHA256

2c1d1c6cc6fea441623d1cdc663656f171fa66d92809a157915c2ada06a121cf
SHA512

86080ba0ad936148f46f3cc56c8b5c474c72b9089657e7bd21286a2a2114eb07f20870e0dd96318685024ab929d17a382529c383049b7bd056553c4565473485
SSDEEP

98304:z0A/ndXX+HO+M16KrdFLJRzdfiHy4AyBS6iHIA198:z0wXX+Hc1nrtRgz

Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/files/0x001a0000000190c0-330.dat	family_chaos
behavioral1/memory/3060-415-0x00000000001C0000-0x00000000001E4000-memory.dmp	family_chaos
behavioral1/memory/2508-421-0x00000000001B0000-0x00000000001D4000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2252	bcdedit.exe
2488	bcdedit.exe

Blocklisted process makes network request 64 IoCs

flow	pid	Process
17	2220	chrome.exe
18	2220	chrome.exe
23	2220	chrome.exe
24	2220	chrome.exe
25	2220	chrome.exe
26	2220	chrome.exe
27	2220	chrome.exe
28	2220	chrome.exe
30	2220	chrome.exe
33	2220	chrome.exe
34	2220	chrome.exe
35	2220	chrome.exe
36	2220	chrome.exe
37	2220	chrome.exe
38	2220	chrome.exe
39	2220	chrome.exe
40	2220	chrome.exe
41	2220	chrome.exe
42	2220	chrome.exe
43	2220	chrome.exe
44	2220	chrome.exe
45	2220	chrome.exe
46	2220	chrome.exe
47	2220	chrome.exe
48	2220	chrome.exe
49	2220	chrome.exe
50	2220	chrome.exe
51	2220	chrome.exe
52	2220	chrome.exe
53	2220	chrome.exe
54	2220	chrome.exe
55	2220	chrome.exe
56	2220	chrome.exe
57	2220	chrome.exe
58	2220	chrome.exe
59	2220	chrome.exe
60	2220	chrome.exe
61	2220	chrome.exe
62	2220	chrome.exe
63	2220	chrome.exe
64	2220	chrome.exe
65	2220	chrome.exe
66	2220	chrome.exe
67	2220	chrome.exe
68	2220	chrome.exe
69	2220	chrome.exe
70	2220	chrome.exe
71	2220	chrome.exe
72	2220	chrome.exe
73	2220	chrome.exe
74	2220	chrome.exe
75	2220	chrome.exe
76	2220	chrome.exe
77	2220	chrome.exe
78	2220	chrome.exe
79	2220	chrome.exe
80	2220	chrome.exe
81	2220	chrome.exe
82	2220	chrome.exe
83	2220	chrome.exe
84	2220	chrome.exe
85	2220	chrome.exe
87	2220	chrome.exe
88	2220	chrome.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2152	wbadmin.exe

Downloads MZ/PE file

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	App.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt	App.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	GLPG.exe
2508	App.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	App.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	App.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	App.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	App.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
90	raw.githubusercontent.com
91	raw.githubusercontent.com
94	raw.githubusercontent.com
95	raw.githubusercontent.com
96	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2iz1uls01.jpg"	App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	App.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1152	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1748	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2508	App.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2240	chrome.exe
2240	chrome.exe
3060	GLPG.exe
3060	GLPG.exe
3060	GLPG.exe
2508	App.exe
2508	App.exe
2508	App.exe
2508	App.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe
Token: SeShutdownPrivilege	2240	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2896	2240	chrome.exe	29
PID 2240 wrote to memory of 2896	2240	chrome.exe	29
PID 2240 wrote to memory of 2896	2240	chrome.exe	29
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 3052	2240	chrome.exe	31
PID 2240 wrote to memory of 2220	2240	chrome.exe	32
PID 2240 wrote to memory of 2220	2240	chrome.exe	32
PID 2240 wrote to memory of 2220	2240	chrome.exe	32
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33
PID 2240 wrote to memory of 816	2240	chrome.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lime.dll,#1
1⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef74d9758,0x7fef74d9768,0x7fef74d9778
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:2
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  - Blocklisted process makes network request
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1748 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:2
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1276 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3632 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:1
  2⤵
  PID:280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2400 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1932 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2808 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3952 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4056 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4128 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1384,i,221643173224423310,2590897608769186481,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Users\Admin\Downloads\GLPG.exe
  "C:\Users\Admin\Downloads\GLPG.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- - C:\Users\Admin\AppData\Roaming\App.exe
    "C:\Users\Admin\AppData\Roaming\App.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    PID:2508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
      4⤵
      PID:2288
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1152
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:1296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      PID:2872
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2252
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:2220
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:2152
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_me.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1508

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2336

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1692

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
177e182ecbc8c50ff730be0e8a60005a

SHA1
1c43883ce287732ada3a67cd6179c5ecb63d2d35

SHA256
c7587b2eedd6c33ee8a19494303196c71660bf7972b54e15426c0ff27e6f8da8

SHA512
1a2be5b1c1be72b5d0fb62d82b080c13babba33fc48320d3cff1901d31b1133aac311e9bc32c54f6ee7199de5bfc05793568c484ef4705f7e13a42cb8a49a742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d308efe16a33a4f421d97e9869459eeb

SHA1
bb67dbc88575312f6607f31c1d4eab8d1349359f

SHA256
4d5a1cca8540f0726f12e08659a14d16c8a61dcbe52d3d9fe7e9dfdc4bf2e9d5

SHA512
da6bdfd6d1018ae1557c5db2dfe0b5063b111830e5fa94164c604e8bf471df83f3ca3a934e5b46831dbf8f1cc991a19f1ccdfcbce16e8467b2863c83632f902d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dba213a854c6693d03d44a2910eb1384

SHA1
bcda6f5312c98203641743fd6257b04a9158709d

SHA256
4adf254f7e8825c061554a2ec4e13116b8b8ca293a0fe46338e53cdc5583c6ae

SHA512
8d1f5f15a1f77159863e5ce40b368c779d7142de063b4f200d54452b58f011f603f152cee5932141b629bdb2eaec1c5cd46f2b86aeab7d08cf941e3a33d6f27c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
6b45a9757c67630a5576d88c8d8cc0d5

SHA1
58dd879fa38dc836d9a4bba24fffdf3ed432c171

SHA256
0307d2f0ba752032a854fcf636010d3356b93d2ce4140fd2c26823f5ee53e287

SHA512
52e7c010c71822b2a9a7e51830bc96994b0c9b546a2f71f16f65b45c56153feae7a02e05a65aea9be4a3652f39e4f3f5de1588196ce9b206f6cd57d2febbf480

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
45bdad1aadbdf3dfa688a336d9c1348c

SHA1
d1089a82b08f11b47208a47b5084c3a10625395c

SHA256
2a0eeae6c90a70f3935c47150d54d03c5c83bc74dd2568021bd6d6e5b3aa9ec8

SHA512
d5b36d514fe4b1700a12bd6f1cad29b6de01b086502cd792881cd2742b373234aa63efb90f1d4bba5a3d7384a19414754ec9e967f8938d89d27f7711c159f6a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a2ab6e89183ff3bc50844663c43ea32

SHA1
c263fca404b384595d33fa3c103f4b768c61948a

SHA256
48c2d308a10014c3c3a90d11a2bcc033a8068678ba6b151cdf4be20204b670de

SHA512
413e23cb21a7ba3fb0050eb84bc1e064f85e4ad05d540ee9bcbe5feda42a785acde93363872ca93e7df910ecd7ebfb9853b88d811194c73765d1fff6d74e5a6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
305KB

MD5
7313ea0e23a0b00e4762c480cf12c6a4

SHA1
26e240bde6d083dd4f10194b2fa9c047bedfa664

SHA256
85971282f8eaa90e678ea8558729091e6d35a7a6fcbc97fef890d3fc4b8c6e7c

SHA512
da859559c23802ff10d0f42b99a81a26635fd3d9fb88e7a3013a2c2c836b7f91e461a8be00ec80a4b5634ec07d410a455d02e108da3eb01efbcc5c05b37c2201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ad661d1f-1ca8-43b9-b939-00fa23d320bb.tmp

Filesize
305KB

MD5
e7ef9e2025b32e98a6d304af6b019685

SHA1
a0080f414e8e4b987b1cbe02402bc87bc6fb1150

SHA256
040a085014d1dec4fcc4019450ee5c5a2a2cd7fe8b47cefc9a733191e969187b

SHA512
4b20c9d8a5750d507b1bfd845b4265c54957cfaa9fa981649d78b8f49ec49f41856c81324818b5c0c95855238925371abc0a1144c878a576b1a7c904b18b0d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB3B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarECA5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Documents\read_me.txt

Filesize
366B

MD5
678f8ac8fa271ec5c376ab16b4f2f4fb

SHA1
465e8d80f829c656306e75418a431ade164716e3

SHA256
b267a9574217efe2bf6027f457ffa18826a2fc5c92ac520ccfa68fb61fa3d5cc

SHA512
00387daf94664ce41d1190a6ac07280203e2692d2731ff88f485c5106314ae1a78080f57c3d1d53142da4fdb5aa2a168f0bce368922bbdace8e78c1ce540b4a5

Download Submit
C:\Users\Admin\Downloads\GLPG.exe

Filesize
122KB

MD5
3abcf91c090a46d6faaaf087e3dcc047

SHA1
004786a6be26c4e2347ed3ecb88f5a6b738087c3

SHA256
95f4bc55344096ff5e0a724221a4b1ed8e708bcf28d99239856cdcf498a7f9a9

SHA512
be06d76c201d668099c317ca84d32eda15543a21c1c013602a6707ee7a02f56c848285a724ff5a83d9ee4e2d93125ca2dd64b6ffbd0874c08ebd8b9a8000a6ec

Download Submit
memory/2508-421-0x00000000001B0000-0x00000000001D4000-memory.dmp

Filesize
144KB

Download
memory/3060-414-0x000007FEF3EE3000-0x000007FEF3EE4000-memory.dmp

Filesize
4KB

Download
memory/3060-415-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download