Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1561s -
max time network
1562s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 09:54
Static task
static1
Behavioral task
behavioral1
Sample
lime.dll
Resource
win7-20240704-en
General
-
Target
lime.dll
-
Size
7.8MB
-
MD5
10c074a00debe4a97608e78cb36247ab
-
SHA1
779125eb7faef7e549eff67eeb55c177a8dfbc70
-
SHA256
2c1d1c6cc6fea441623d1cdc663656f171fa66d92809a157915c2ada06a121cf
-
SHA512
86080ba0ad936148f46f3cc56c8b5c474c72b9089657e7bd21286a2a2114eb07f20870e0dd96318685024ab929d17a382529c383049b7bd056553c4565473485
-
SSDEEP
98304:z0A/ndXX+HO+M16KrdFLJRzdfiHy4AyBS6iHIA198:z0wXX+Hc1nrtRgz
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral1/files/0x000900000001934d-341.dat family_chaos behavioral1/memory/2524-475-0x00000000013C0000-0x00000000013E4000-memory.dmp family_chaos behavioral1/memory/448-481-0x00000000009E0000-0x0000000000A04000-memory.dmp family_chaos -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1356 bcdedit.exe 632 bcdedit.exe -
pid Process 1600 wbadmin.exe -
Downloads MZ/PE file
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini App.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt App.exe -
Executes dropped EXE 2 IoCs
pid Process 2524 GLPG.exe 448 App.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini App.exe File opened for modification C:\Users\Public\Music\desktop.ini App.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini App.exe File opened for modification C:\Users\Public\Videos\desktop.ini App.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini App.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini App.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini App.exe File opened for modification C:\Users\Public\Pictures\desktop.ini App.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini App.exe File opened for modification C:\Users\Public\Desktop\desktop.ini App.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini App.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini App.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini App.exe File opened for modification C:\Users\Public\Documents\desktop.ini App.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini App.exe File opened for modification C:\Users\Admin\Links\desktop.ini App.exe File opened for modification C:\Users\Admin\Documents\desktop.ini App.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini App.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini App.exe File opened for modification C:\Users\Admin\Videos\desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini App.exe File opened for modification C:\Users\Admin\Music\desktop.ini App.exe File opened for modification C:\Users\Admin\Searches\desktop.ini App.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini App.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini App.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 122 raw.githubusercontent.com 116 raw.githubusercontent.com 117 raw.githubusercontent.com 120 raw.githubusercontent.com 121 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdzh0ftbi.jpg" App.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" App.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1764 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2868 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1364 vlc.exe 448 App.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1992 chrome.exe 1992 chrome.exe 2524 GLPG.exe 2524 GLPG.exe 2524 GLPG.exe 448 App.exe 448 App.exe 448 App.exe 448 App.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1364 vlc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe Token: SeShutdownPrivilege 1992 chrome.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1992 chrome.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe 1364 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1364 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2136 1992 chrome.exe 31 PID 1992 wrote to memory of 2136 1992 chrome.exe 31 PID 1992 wrote to memory of 2136 1992 chrome.exe 31 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2732 1992 chrome.exe 33 PID 1992 wrote to memory of 2880 1992 chrome.exe 34 PID 1992 wrote to memory of 2880 1992 chrome.exe 34 PID 1992 wrote to memory of 2880 1992 chrome.exe 34 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 PID 1992 wrote to memory of 2716 1992 chrome.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lime.dll,#11⤵PID:3060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d89758,0x7fef6d89768,0x7fef6d897782⤵PID:2136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:22⤵PID:2732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:82⤵PID:2880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:82⤵PID:2716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2336 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:12⤵PID:1620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:12⤵PID:752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1172 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:22⤵PID:2144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1400 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:12⤵PID:1796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:82⤵PID:1112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3984 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:12⤵PID:912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2784 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:12⤵PID:2624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:82⤵PID:2884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2772 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:12⤵PID:2944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4068 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:82⤵PID:1148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4084 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:82⤵PID:3044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:82⤵PID:2296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4208 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:82⤵PID:2368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4196 --field-trial-handle=1240,i,10683955196277430552,10226388804412233348,131072 /prefetch:82⤵PID:876
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2980
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\FindPing.vbe"1⤵PID:2236
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RequestResolve.wpl"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1364
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1916
-
C:\Users\Admin\Downloads\GLPG.exe"C:\Users\Admin\Downloads\GLPG.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2524 -
C:\Users\Admin\AppData\Roaming\App.exe"C:\Users\Admin\AppData\Roaming\App.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵PID:2064
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1764
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:1976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵PID:1732
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1356
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:1752
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1600
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_me.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2868
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2044
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:2408
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2392
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1472
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk.3kqc1⤵
- Modifies registry class
PID:2168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD514c18c34b46ffa8e88f0ff7c273cb8ed
SHA1d47f2ad50d472a197950b69d6423e347eaf3beab
SHA25669fbacc924838902c9367bfed462146252580089adf09baba170c9f36211b757
SHA51239ec4ddfe09097de966f0ef9b506bbd0cc88785e9febf31ca369fb9b6cad76024336eaedd358c9b33652a65533e285f24f0300a1d242dc273282dbf78be346fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ab1c204a3620d66dc732f1dc6297bd8
SHA12ac9159653f8798b0d46d14cc70d31107eb5bf04
SHA256b3f48d4e5a1cce3b7d9b7dcc26d4e6db42a045d157100c19651fdc0a0e7fce2f
SHA512c7ff419e81fe9a10db477113e8dad472ffad8e7892eec51bea187eb1b2c58264309d4f9eb108d0cbf69771d389cfb12fb76b2a5d8d17018e27418b1126ca9de4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55eefdc6063d47543303f2b19fc8c96cb
SHA1c4c7c217656aebfc3853ba4024a6fad4c3d1b480
SHA25674527bfcda97726682df5d2c6fdc8017f41e8a749758b27ddfac3caebe7afb4d
SHA5125ebbece0a82bdc2dc7281cbc291f08e37ce54db22370106ff92c8ad5ce86a9529aeb64db01b079fc66a4cee2246935b269466d36cd8b99771b90d434d9d68149
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b975540124aed6252a3bd8c738f2cc8
SHA1e2e8875b5a11876ef075a2dc520e121ff6bd4910
SHA2565b1ac617332f62bffb0d7e2bd09a3ba98d9c85a90f0ae3e1c31bfb128efdd193
SHA51228dee98cc7e5343376bf99df8b502b233d0f23f411ca1d41ac2e108d9bd0f102b542ca291785d408f2a19d88f56a443fcafd18e3f3ee4cd96474624d6f54ee0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cfdadfa6c91fa761020559ab0bd5bc02
SHA1ae4a6ce7fae2c7cd75de5f9a1df117884603c19c
SHA256d46e4097ad0bdfef82da4eb045335b830f6b1ab87385274d9536232accdc70ed
SHA512efd55423a54dc6de1a1c4be36211d388ccee0ded21bd59fdc6c9d90d93e7bd0a29064f45cdce4c55545cbe82eb1ffb78e11d55197f17b193d4dd809e9618f715
-
Filesize
305KB
MD55d1f3c201b5eb45655ee2f664beb0d7a
SHA1c68d6ca6992fb78da9af18da80f34ba05733dcdf
SHA256a4cbf712495dee38b627814c53c387fa0765db97a5f553b778b818e63f84a2de
SHA5124298fceac0023e045f62016f91f34e25cba11a2c2d989ac1681dd4c05c37d7848fcbf55922a4565447079d147d2abf7c8d4cc7531d1878c8e6a35411a2dc7440
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
361B
MD595cf63b41a9729c935cb8ce0bf1bf621
SHA1857f83c2c991687f680437b327db055468e7099b
SHA256f98729cfd0e5b47d8f6cf13caa688db3f7fff486713db75af6899becc7328b8f
SHA5129c23fe33d1e61944de64f7d104de1055f0480d2695a2b37e86c912059352fb5eb6e83c25034d406dd9a31e950a704ae0f737a3af5fa10b1131e4dfc778737636
-
Filesize
524B
MD572df9e475f1bc846e28e84057fb74292
SHA1e899f011a8a96bc6a7d41ca7882d473f1c271295
SHA2560b98c8eff93c1a643c002c89143a63afbc811905d8a51ee6b74025ffbd6ce661
SHA5125a89118149045a11a4f03eba6a8c0d1ab7a9320865d8d29fc18b75d032b0688d59927336dadf3c7051406dbd83e9b05881259abca3cfa06d4b93e7ab09924766
-
Filesize
5KB
MD5387684ce1332c44c95bde07620910b8b
SHA14917b8be7238cfd8ca6848005009013705fb9754
SHA256258549e733c6ed60a35ae194b92e932409d1e2e4d26ae6ab615de11f735a5efb
SHA512fafcf904eadd253e94e87e91148d530774404bc3dc8d13b9d928cb8dbea46cedaf239a342f2ffc7afc89f10ff77fdea51648c114fa3287b0c30ec7c4c107465f
-
Filesize
5KB
MD5d2d3342bcef759a32dbede8a1fcd270d
SHA176d1be7d77b80debf9d5001d461c409e68d7c2d2
SHA256f653eca5bf2a9511c4aa8fc452b0a0a1b389595569add491095c0c5118c91925
SHA5129fbf2d3d9d9368e70663a6db00a9fd52cc666b17d2d058f2e79995eaa65c89979e1527fb80c033b0ac95bf2976fd0a0b7cb11d5e0015a20e9d71c94a7186c3ef
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
305KB
MD51f1f8be4eb5b7607f310b55e75dd5915
SHA118ccd428d870575aee71bcb33975c1bba8166d74
SHA256acd6940e7ce0611c07b1267aca3c6e92711f83a504d1457bf9705c0b237b163a
SHA512b0f16a4e4aa507bfe58572d9ed638a0177a80a36c4936195461ce3a9ac2f6d3e897bac192fe6ebc263255921ba9ff303208539505d136925e1b923203d1532c0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
928B
MD5750440cefb1d91716b86774481e06654
SHA11268ddd5673cb1e6662aacd22ac2b9c582b75419
SHA256f8642bc7edd247a62ca69c212b46f3b544022de4f846dc22abef2311d6845e60
SHA51255af56bb55899206474a5e37f1990f095a56800e967e897a9aebd6729e1be9701e9c1a2b64d41f698c6d92a72e280423549fa4c7eb520c55619dbe5c7dca876e
-
Filesize
366B
MD5678f8ac8fa271ec5c376ab16b4f2f4fb
SHA1465e8d80f829c656306e75418a431ade164716e3
SHA256b267a9574217efe2bf6027f457ffa18826a2fc5c92ac520ccfa68fb61fa3d5cc
SHA51200387daf94664ce41d1190a6ac07280203e2692d2731ff88f485c5106314ae1a78080f57c3d1d53142da4fdb5aa2a168f0bce368922bbdace8e78c1ce540b4a5
-
Filesize
122KB
MD53abcf91c090a46d6faaaf087e3dcc047
SHA1004786a6be26c4e2347ed3ecb88f5a6b738087c3
SHA25695f4bc55344096ff5e0a724221a4b1ed8e708bcf28d99239856cdcf498a7f9a9
SHA512be06d76c201d668099c317ca84d32eda15543a21c1c013602a6707ee7a02f56c848285a724ff5a83d9ee4e2d93125ca2dd64b6ffbd0874c08ebd8b9a8000a6ec