chaos | 2c1d1c6cc6fea441623d1cdc663656f171fa66d92809a157915c2ada06a121cf

Analysis

max time kernel
1561s
max time network
1562s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lime.dll
Size

7.8MB
MD5

10c074a00debe4a97608e78cb36247ab
SHA1

779125eb7faef7e549eff67eeb55c177a8dfbc70
SHA256

2c1d1c6cc6fea441623d1cdc663656f171fa66d92809a157915c2ada06a121cf
SHA512

86080ba0ad936148f46f3cc56c8b5c474c72b9089657e7bd21286a2a2114eb07f20870e0dd96318685024ab929d17a382529c383049b7bd056553c4565473485
SSDEEP

98304:z0A/ndXX+HO+M16KrdFLJRzdfiHy4AyBS6iHIA198:z0wXX+Hc1nrtRgz

Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/files/0x000900000001934d-341.dat	family_chaos
behavioral1/memory/2524-475-0x00000000013C0000-0x00000000013E4000-memory.dmp	family_chaos
behavioral1/memory/448-481-0x00000000009E0000-0x0000000000A04000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1356	bcdedit.exe
632	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1600	wbadmin.exe

Downloads MZ/PE file

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	App.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt	App.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	GLPG.exe
448	App.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	App.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	App.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	App.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	App.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	App.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
122	raw.githubusercontent.com
116	raw.githubusercontent.com
117	raw.githubusercontent.com
120	raw.githubusercontent.com
121	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdzh0ftbi.jpg"	App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	App.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1764	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2868	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1364	vlc.exe
448	App.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe
2524	GLPG.exe
2524	GLPG.exe
2524	GLPG.exe
448	App.exe
448	App.exe
448	App.exe
448	App.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe
1364	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1364	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2136	1992	chrome.exe	31
PID 1992 wrote to memory of 2136	1992	chrome.exe	31
PID 1992 wrote to memory of 2136	1992	chrome.exe	31
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2732	1992	chrome.exe	33
PID 1992 wrote to memory of 2880	1992	chrome.exe	34
PID 1992 wrote to memory of 2880	1992	chrome.exe	34
PID 1992 wrote to memory of 2880	1992	chrome.exe	34
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35
PID 1992 wrote to memory of 2716	1992	chrome.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lime.dll,#1
1⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d89758,0x7fef6d89768,0x7fef6d89778
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:2
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2336 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1172 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:2
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1400 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3984 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2784 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2772 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4068 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4084 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4208 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4196 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:8
  2⤵
  PID:876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\FindPing.vbe"
1⤵
PID:2236

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RequestResolve.wpl"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1916

C:\Users\Admin\Downloads\GLPG.exe
"C:\Users\Admin\Downloads\GLPG.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2524
- C:\Users\Admin\AppData\Roaming\App.exe
  "C:\Users\Admin\AppData\Roaming\App.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    PID:2064
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:1976
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1732
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1356
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1752
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1600
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_me.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2408

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2392

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1472

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk.3kqc
1⤵
- Modifies registry class
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14c18c34b46ffa8e88f0ff7c273cb8ed

SHA1
d47f2ad50d472a197950b69d6423e347eaf3beab

SHA256
69fbacc924838902c9367bfed462146252580089adf09baba170c9f36211b757

SHA512
39ec4ddfe09097de966f0ef9b506bbd0cc88785e9febf31ca369fb9b6cad76024336eaedd358c9b33652a65533e285f24f0300a1d242dc273282dbf78be346fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ab1c204a3620d66dc732f1dc6297bd8

SHA1
2ac9159653f8798b0d46d14cc70d31107eb5bf04

SHA256
b3f48d4e5a1cce3b7d9b7dcc26d4e6db42a045d157100c19651fdc0a0e7fce2f

SHA512
c7ff419e81fe9a10db477113e8dad472ffad8e7892eec51bea187eb1b2c58264309d4f9eb108d0cbf69771d389cfb12fb76b2a5d8d17018e27418b1126ca9de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eefdc6063d47543303f2b19fc8c96cb

SHA1
c4c7c217656aebfc3853ba4024a6fad4c3d1b480

SHA256
74527bfcda97726682df5d2c6fdc8017f41e8a749758b27ddfac3caebe7afb4d

SHA512
5ebbece0a82bdc2dc7281cbc291f08e37ce54db22370106ff92c8ad5ce86a9529aeb64db01b079fc66a4cee2246935b269466d36cd8b99771b90d434d9d68149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b975540124aed6252a3bd8c738f2cc8

SHA1
e2e8875b5a11876ef075a2dc520e121ff6bd4910

SHA256
5b1ac617332f62bffb0d7e2bd09a3ba98d9c85a90f0ae3e1c31bfb128efdd193

SHA512
28dee98cc7e5343376bf99df8b502b233d0f23f411ca1d41ac2e108d9bd0f102b542ca291785d408f2a19d88f56a443fcafd18e3f3ee4cd96474624d6f54ee0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfdadfa6c91fa761020559ab0bd5bc02

SHA1
ae4a6ce7fae2c7cd75de5f9a1df117884603c19c

SHA256
d46e4097ad0bdfef82da4eb045335b830f6b1ab87385274d9536232accdc70ed

SHA512
efd55423a54dc6de1a1c4be36211d388ccee0ded21bd59fdc6c9d90d93e7bd0a29064f45cdce4c55545cbe82eb1ffb78e11d55197f17b193d4dd809e9618f715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4574a423-ffde-4963-b7a7-d2f703626353.tmp

Filesize
305KB

MD5
5d1f3c201b5eb45655ee2f664beb0d7a

SHA1
c68d6ca6992fb78da9af18da80f34ba05733dcdf

SHA256
a4cbf712495dee38b627814c53c387fa0765db97a5f553b778b818e63f84a2de

SHA512
4298fceac0023e045f62016f91f34e25cba11a2c2d989ac1681dd4c05c37d7848fcbf55922a4565447079d147d2abf7c8d4cc7531d1878c8e6a35411a2dc7440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
95cf63b41a9729c935cb8ce0bf1bf621

SHA1
857f83c2c991687f680437b327db055468e7099b

SHA256
f98729cfd0e5b47d8f6cf13caa688db3f7fff486713db75af6899becc7328b8f

SHA512
9c23fe33d1e61944de64f7d104de1055f0480d2695a2b37e86c912059352fb5eb6e83c25034d406dd9a31e950a704ae0f737a3af5fa10b1131e4dfc778737636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
72df9e475f1bc846e28e84057fb74292

SHA1
e899f011a8a96bc6a7d41ca7882d473f1c271295

SHA256
0b98c8eff93c1a643c002c89143a63afbc811905d8a51ee6b74025ffbd6ce661

SHA512
5a89118149045a11a4f03eba6a8c0d1ab7a9320865d8d29fc18b75d032b0688d59927336dadf3c7051406dbd83e9b05881259abca3cfa06d4b93e7ab09924766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
387684ce1332c44c95bde07620910b8b

SHA1
4917b8be7238cfd8ca6848005009013705fb9754

SHA256
258549e733c6ed60a35ae194b92e932409d1e2e4d26ae6ab615de11f735a5efb

SHA512
fafcf904eadd253e94e87e91148d530774404bc3dc8d13b9d928cb8dbea46cedaf239a342f2ffc7afc89f10ff77fdea51648c114fa3287b0c30ec7c4c107465f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d2d3342bcef759a32dbede8a1fcd270d

SHA1
76d1be7d77b80debf9d5001d461c409e68d7c2d2

SHA256
f653eca5bf2a9511c4aa8fc452b0a0a1b389595569add491095c0c5118c91925

SHA512
9fbf2d3d9d9368e70663a6db00a9fd52cc666b17d2d058f2e79995eaa65c89979e1527fb80c033b0ac95bf2976fd0a0b7cb11d5e0015a20e9d71c94a7186c3ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
305KB

MD5
1f1f8be4eb5b7607f310b55e75dd5915

SHA1
18ccd428d870575aee71bcb33975c1bba8166d74

SHA256
acd6940e7ce0611c07b1267aca3c6e92711f83a504d1457bf9705c0b237b163a

SHA512
b0f16a4e4aa507bfe58572d9ed638a0177a80a36c4936195461ce3a9ac2f6d3e897bac192fe6ebc263255921ba9ff303208539505d136925e1b923203d1532c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF920.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFA0D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
928B

MD5
750440cefb1d91716b86774481e06654

SHA1
1268ddd5673cb1e6662aacd22ac2b9c582b75419

SHA256
f8642bc7edd247a62ca69c212b46f3b544022de4f846dc22abef2311d6845e60

SHA512
55af56bb55899206474a5e37f1990f095a56800e967e897a9aebd6729e1be9701e9c1a2b64d41f698c6d92a72e280423549fa4c7eb520c55619dbe5c7dca876e

Download Submit
C:\Users\Admin\Documents\read_me.txt

Filesize
366B

MD5
678f8ac8fa271ec5c376ab16b4f2f4fb

SHA1
465e8d80f829c656306e75418a431ade164716e3

SHA256
b267a9574217efe2bf6027f457ffa18826a2fc5c92ac520ccfa68fb61fa3d5cc

SHA512
00387daf94664ce41d1190a6ac07280203e2692d2731ff88f485c5106314ae1a78080f57c3d1d53142da4fdb5aa2a168f0bce368922bbdace8e78c1ce540b4a5

Download Submit
C:\Users\Admin\Downloads\GLPG.exe

Filesize
122KB

MD5
3abcf91c090a46d6faaaf087e3dcc047

SHA1
004786a6be26c4e2347ed3ecb88f5a6b738087c3

SHA256
95f4bc55344096ff5e0a724221a4b1ed8e708bcf28d99239856cdcf498a7f9a9

SHA512
be06d76c201d668099c317ca84d32eda15543a21c1c013602a6707ee7a02f56c848285a724ff5a83d9ee4e2d93125ca2dd64b6ffbd0874c08ebd8b9a8000a6ec

Download Submit
memory/448-481-0x00000000009E0000-0x0000000000A04000-memory.dmp

Filesize
144KB

Download
memory/1364-468-0x000000013FB70000-0x000000013FC68000-memory.dmp

Filesize
992KB

Download
memory/1364-471-0x000007FEF38A0000-0x000007FEF4950000-memory.dmp

Filesize
16.7MB

Download
memory/1364-472-0x000007FEF5150000-0x000007FEF525E000-memory.dmp

Filesize
1.1MB

Download
memory/1364-470-0x000007FEF56E0000-0x000007FEF5996000-memory.dmp

Filesize
2.7MB

Download
memory/1364-469-0x000007FEF77C0000-0x000007FEF77F4000-memory.dmp

Filesize
208KB

Download
memory/2524-475-0x00000000013C0000-0x00000000013E4000-memory.dmp

Filesize
144KB

Download