hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Resubmissions

06-12-2024 18:24

241206-w2jhxs1jax 10

06-12-2024 18:22

241206-wzy6lawnen 7

06-12-2024 18:15

241206-wwd19azqas 9

06-12-2024 18:09

241206-wrmgtszngy 6

Analysis

max time kernel
274s
max time network
277s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 18:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
36	raw.githubusercontent.com
62	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 9c5ac702d418db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B75FB1F0-B3FD-11EF-ADF2-468C69F2ED48} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{D48477E0-B141-4568-B3C4-3FD06F4C3BB9}"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133779821921109755"	chrome.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\bin_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\bin_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\bin_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\.bin	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\bin_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\.bin\ = "bin_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\bin_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\bin_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\bin_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\bin_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{30763D92-83B3-49D1-9182-36D25FE54214}	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2460	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5580	vlc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
2848	OpenWith.exe
1624	OpenWith.exe
3560	OpenWith.exe
2512	OpenWith.exe
1976	OpenWith.exe
5580	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4924	wmplayer.exe
3204	iexplore.exe
3204	iexplore.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
1128	firefox.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe
5580	vlc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3272	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
2848	OpenWith.exe
3068	AcroRd32.exe
3068	AcroRd32.exe
3068	AcroRd32.exe
3068	AcroRd32.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
1624	OpenWith.exe
3560	OpenWith.exe
3560	OpenWith.exe
3560	OpenWith.exe
3560	OpenWith.exe
3560	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2892	4820	chrome.exe	83
PID 4820 wrote to memory of 2892	4820	chrome.exe	83
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3380	4820	chrome.exe	84
PID 4820 wrote to memory of 3264	4820	chrome.exe	85
PID 4820 wrote to memory of 3264	4820	chrome.exe	85
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86
PID 4820 wrote to memory of 2108	4820	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb1713cc40,0x7ffb1713cc4c,0x7ffb1713cc58
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5008,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5292,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5416,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4860,i,15320302987490881310,4081301308092977542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2848
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3068
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06905BC79671C898115485D276B72A09 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4432
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=06275DC0835DEB6014F66F884EDA7391 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=06275DC0835DEB6014F66F884EDA7391 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2520
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A371505D9655DB2B145A7FF17E49184E --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4856
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F58B1090897AB026F85724975A0EECA9 --mojo-platform-channel-handle=2008 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:1528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
1⤵
- Opens file in notepad (likely ransom note)
PID:2460

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3560
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin"
  2⤵
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:4924
- - C:\Windows\SysWOW64\unregmp2.exe
    "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
      4⤵
      Enumerates connected drives
      PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x320
1⤵
PID:1140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2512
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:3204
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:3880
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1976
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin"
  2⤵
  PID:3076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e389577-6702-4e30-a1b2-8749faac0185} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" gpu
      4⤵
      PID:3272
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30528c6-554f-464a-9c65-0bd05d8d3066} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" socket
      4⤵
      PID:3812
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2844 -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 3324 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2b4bbc8-e880-4093-ba9f-4be831f62fa9} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" tab
      4⤵
      PID:4920
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=952 -childID 2 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb12d827-817d-4696-a068-eb28f76b3342} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" tab
      4⤵
      PID:4848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5060 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5016 -prefMapHandle 5012 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c65c240-2a7b-4f1c-9edd-e372079c4ad9} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" utility
      4⤵
      Checks processor information in registry
      PID:5864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 3 -isForBrowser -prefsHandle 5444 -prefMapHandle 5440 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebc831cf-fd9f-4bb9-a226-bc205fa87361} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" tab
      4⤵
      PID:6104
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c38c7f7-e29a-4488-a652-72ee12aab0f3} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" tab
      4⤵
      PID:6116
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5768 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85a6e084-e29d-4b79-9b89-f21e70f36494} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" tab
      4⤵
      PID:6128

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5580

C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
"C:\Users\Admin\Downloads\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:6084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4261e5a3ff65aade7fbe194637058fb4

SHA1
5bcadbc86a221697cb5f2929cb8396d0288c83ef

SHA256
ccca6f05999f314765264c41768d2b603ae67f056e62e6e88c2e1b70bf4a3549

SHA512
b62760427b8afd94fcf033083de451c322c755ffe4277ff583ede68469f81311f87263896ba87301224ca3e65d208651f6e32bd8657b5fe89d8dfede0c1a2362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3a424861421ed2c4b57b97143a15b227

SHA1
b1d4bed42847df293d16367de25742359fd490dd

SHA256
8b0adeee4c463c2dbded912582e35f3b8dfa483c207ed647255fc555a544f17a

SHA512
c00c7e3e53ccb10a5ae2cb5fdbd00b0e15c25587e54aa588128ab18e301f515d7a7a1ca84510d88c124e22101fda3ad550352b3fb3bb29dddf1e4ad5013814f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ea5d2b61bca2c8dda377ad9b921b5648

SHA1
6e0ade56b53a5511339406bc6e31401772793d7d

SHA256
e8a24b9008cb2ebf4fbf082b6476b491e99acf5253450bdfda92b32058685ab0

SHA512
e97d64ae458d500eff32354112a68d4be283fb207d2f7a70a730d8726a4764fa22d7610134f6fa28ec0cf953455d6c395813f1ad1347568d66ba574e943f9936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e06600d22f910223d3fdb506718a81e8

SHA1
c17ffd3291f5d73a001fcba2b72a7dd8cd9655c9

SHA256
0dac17f07ca93ab01392e66a7cf4b8de917ef662234118a8d126fcd352afcdad

SHA512
23e7781c8358d5ac3f4304c00368ade6b60365232fb86af5d7701618e5ddd49be970947f5af7aad829481cb8ef365529296a7e08b421bcdfd89be6aaf3bcb504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d957e50de19f990d40ba46a6ab5199e5

SHA1
9b9efc44f0f803a5e23f98b29f2ae882925f6f3f

SHA256
3c27765472ab341f7ec1c71226e3d449f94d3dfe86fcbb47dc47d33fb6c96011

SHA512
3beb03b54a94b5c97a535c5912571722e6c35ca69f0c76d399bd9b40b635b2d316405c11fe3d01f7fc8b0af37295e06e2006f7b309acde7f41b5225634ea6b53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
81573fdf1570157122a58fd5ea5101c9

SHA1
62016664ef9a514d5721f55686fdfb27b7e1108f

SHA256
1ebe811f20103a3a258148cb6107333e4d316a72a3f7f7638031ed4b6af70b87

SHA512
a04572529be01a36a41419abc09cf0d5de7feb56c6d5b6b29c5ad7309f84772453aff56735ec1b1b9ebb6ce2054fbb077535402cc9441cba287b3e5858e52465

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6ca2e2b1b7ed2a0a77433adf31a4f49f

SHA1
fb18d31fb31d10a50590041322e4a026e75455df

SHA256
a963e63e4354d86d6fdcc66d0a6d0312bd5d63af31b9652fb7fb1efa221ba1f8

SHA512
356cf885e4fac11452c469dd9b94ff2f5cc86e39465722de89a62b792ff27d37c6e42a8bc294925e886a85121c90ad2bb6edbbe15253ba8e8edd8328d979d206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e086800ae7aedadc5fe3a655ebf3bce6

SHA1
22077bfd6f3c39ebc379bed6ce09474136e4cd88

SHA256
492aea023fd08067f2bb852673cb11e682c463a5296c57beb68f5e8dc9044998

SHA512
c55bc1d6bc9ccc7631cdaa982c4e5afcb18ad87cc1765aca7f45bef43d2e1721d924e651d16422b9ec72f53e7324567b042b7a07542a4403d8823a31316000fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a40bf88829044e6b445f86b7aa375882

SHA1
e505b991e39aeab4367ba6632a111226106b9f51

SHA256
ed23c16129a8fa9bfe2385e5ea884575d3a6c14eda47115205657f591310797e

SHA512
b1d82cf1f2e2efd52e0ef15e3f67037290a9d5b7748848b58ba256f67d3f4c3b8ef1b78479b7f9fe7bb8939cca9bf7f594d73a06b69bfa7b5beaf9c44661ed44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a28003e3acb7209260129a820a819a2f

SHA1
3a866d6fe7a90f2491c048f4b64a2cf670de2215

SHA256
e28a1d1417852b93871feb485dcbbb29534f7208a351d730508b23a36c6ee621

SHA512
71227b6257fad722633387e3c71551aa6bb6e1e08ef8f4270d8eef379218e280c4ec88b3c8e78959885b560613b42d5e011820269e18548d4a13a25c1ccffa81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5e70dc0b870d0135b68112cf6558009f

SHA1
0a4436dcc2c6f8bbce45118e46496ba10c49dc73

SHA256
3a341d0da7d319e24687c2884774aa44bf7b053062fcea69210102917fa3f40d

SHA512
859e78118ab9e91f818bb119387e2918f10de7f7af1f63e730ff204134ec78257b42ebc0a6bf1bdfaf79dea151070e83ba58343de486ee5aa3171ce41b11d932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f1f68a8271b189200f65d7db35e02376

SHA1
7729a8beecb2724494c2f8bb5328d4d561cd7cc9

SHA256
7c16e9ccbd36f977377fa83c5e135ff830babff62162378b6f85f04140d4c03d

SHA512
587a04c9a52df8e14066a633e38d5f7ba14639d12ec174f1f35ff9c51e02e5995a4a2d6473e86185ea30fbfa26ed1a453b065ee4aa10b1472cc7756e3b19e57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a9de938f9e36c1c983316e1e588e5a66

SHA1
46f212a6dc5054fa12ddec1f72f8fcca01c4487a

SHA256
1c1a9d6af75e770c1b7c8f450ba15a8aff642b839289ecfb364cb00eb152e865

SHA512
60cfbf59d122896f98a943bff8cb4ac729791393f1c7d8e9fead0b11e9257964d63734ea843a94ebe9b89c799b698557a9891c3d86fc32d0ef8c46928a4729d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c24034b19f08b489c65e8f2edcc6b5a8

SHA1
8882d73a3d17d6198214b945bc7ec9a82aa9286d

SHA256
147615bfb913f82806d6baa66a42b6a35f2bb4794a876cca821686870374cc39

SHA512
abc3524865bc253ce34a9eabcddf3b70df4813fc19200ab70f8d808a907ff8a29a762e0081db5456666a9dc185d13e461c726846a3ce52b10337a4e7dacd7794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08a005aac92f0ee3f0ccb685a3517980

SHA1
aafcf0df3c69eb62d1d3cd8f0432cfa3b61fb3fc

SHA256
f5d2123133586a06ba91b5dce47a681d6d19eb18dd8a6f1be8a55045ea7a9cc5

SHA512
d4b2bb7f72de036f014cdb548520fa3a9e0a14c4e910228d3c7b031593e4d4e30bd0822721b3456a355e9ca60d569737c9aa5257ee180b0ef9ab90c94c78eb07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fcc2a20a0c3676fcb54959831f5a5671

SHA1
1ad34e56e9937b31866b2efae1b7c83193570afd

SHA256
6d272543e26d73027726525e68fe4213b7bcb956fdb6a235dae53fc6b600f93b

SHA512
3ca89454ddcd9d0e86f0aa298fe475cd6238efa90364b8a05673b06e67021ec93715edf58c9ff238dbe86063bc1323e1e19a12780a46fad60d0a836f5ec82a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
abdf12c1f168177f8b99e199cd2e4492

SHA1
f65b74644582dbedd73619f0853e3e9a11578287

SHA256
8049e7ec8ae0010dbc782fecd65e2aba6afb93c372a6416d3a5042baa757dcfe

SHA512
1dc99b5f1d9b25cdc6fa161345a0975ef18afaab9e5666c887b6a761170dc27bfef9b059f3eb85f296d0d93c784874356a9fe3b605781ce1a3ec1f485955da76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
655fa084a95ebaffbddadfdb03168797

SHA1
a6870608cef17f9d4f272e64457835603d4004c4

SHA256
dbc0dea839060ed7c603ad40925c144a309314c18a028e0260f31764476f2e47

SHA512
71f734c8b73d45f20f43070a7a7d95dad539256b68ab4c94aa1275057d8a09adda9088311c07b18ea53389ad95b937dbb369422e9a67ed7c8ff5efde1fee786c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
58a83684d13dbcc29ebdedce3c136d7e

SHA1
788dcbb535a6dc9b861d5b1d3f9b011ec66b9b9e

SHA256
92dce005a477637ef23c877dbe1e3cde1e742c90e1a4f5c1ed7d3c8e1c0d434e

SHA512
65a3c08b30b789b65ce0183f2ea4a59cbc6d4f162f193fb121653d6567389ee363073c60e028dd45d6de6a4209c557220218efe283514876b08dbaa10e06639d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0b21aaabb893b51442973db386a8b058

SHA1
6fef27ff3ca9b1e13f3c4f7d1006d4efc20b2367

SHA256
785462a6e1ba9b08e6562b98e4f7789f47c96b769b49a4eb3ce00b0253c1507f

SHA512
d018e95888b8b3452e64b6ec241e2d8cae20adfb4135b09a35eaaf3ba0fff25b6297e1b66b8e612e02693b78b0b1e8d975a3fa5581994b9892b70743e442d47b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0adf8d5b3d44cb45962dc60004e069dc

SHA1
4abc7287dd32e39001f15f7e22c77df0fe73ed11

SHA256
f56789ec1e1e6db699cdf29612d1f3d8a86b9ae18e490c235d491c72f95d1d58

SHA512
688ebc827380639982f9e1402f84f015e28e5c9931027d6985562a09c0d3bfc0725da5e6311f1a7c28b6d26271d4f1381ca24b2e0e6fd44dd28b2a4dbf7c34b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
24ae4e6bb766e61f8667f283708ea2f2

SHA1
195cebe2903d00215d39c85aeb401af234ed98b4

SHA256
36ece90beb38d269eae4504eab3ffe1437708d3b0204380595e5281454d7d973

SHA512
a5c1bb6121a3a8c39af6797c1582048100ece5bd976af1bc518daa16f1de203d7361d937bebe374b697660936278c5ee7dc55208a2a4771f9435d4a6372526d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
50ccb2e09a7df43689ccb3dbd7b1549d

SHA1
be57642aa860dca09ec85b89f26d1abb719f6bfb

SHA256
ddbad0a7c9e26f4948272fcea80da0b2a06e56997be26b9f2b10f68543ee6117

SHA512
e0ef50a7610ea459b09a8d7fda761f1665bd93584cbd60884730d9fe35d592026c93712a1b3c65a8920f38baaa3e05b848bd6369951038c5637d6ee074475bda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1db58d1842b8e219cbe2aed387ca186c

SHA1
a2a2910d9e91031165489ec704e96b32d79cb775

SHA256
409e0768844ec432fb313b9b97e5741bd6cfc6516b286ad87a271ea9353f7397

SHA512
762e2132833cad60e92486b52cc4ad390f67b891ff049425e899798e261c6c3f685609740a6f35ee4e0eab474e59f8931f1f168cda10aff96503a8a8dc0ddf25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
92e285529e24b7a9f4695d347059cf6a

SHA1
3307e8ec5e6adb40853328e7193f554343d528ca

SHA256
218020f6c3b8ba7b556d5b443f8b27bb6618a8add16351a59216279259d95785

SHA512
2c53dedf7bb60af5c95941fd2f1a52e8dc281276b923b82bce99b13c3cb60ccca0f49261bda9b941674c08a5fe9f5f7de37982d0d072adaeca6168f12734fa0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
48cdbae9b641d92b5fe1d7ec51d9626a

SHA1
4b0a7173d1ef023324bffa8e2a16cd864d262368

SHA256
a7eb4f66e6fa4fd86d2ffbfb36da97c398c8d7de656dcffb70e54d5dd9b4d99f

SHA512
7a8bbaabd2ca608f41475a84e1566b5a825476f20db19f51067af486ffa2d0a01db822d15cf2429187e24f09d14c831e63dcc25595d6a1f7c95692ec93068763

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2b33ba5fff19c0c684a67206220793ea

SHA1
883929b362996beadc22beedc800d8fdf175c9f6

SHA256
65cbbb5bd16e161d9397e3c9877696f077b8ada1b327c3e8cb1cd9eee364e541

SHA512
54acafdbc83f9d4b987deaf6994068cec04fca692bb97808a5af7cc8262dc471bcf23c264abe17676d42ce8a2cfb85b32b120ead7aa08b9911845753d8ff8020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
90f969c3513a7a3f6fab1bd5b7c1d8e8

SHA1
a5c1ecb6c4c090854cf91d951abd6392fdb9f7c4

SHA256
805ad616b8c8ab0cac8288b25fcad65e6acc849bd82d2cdebd9d68678e690953

SHA512
36055d415843c2052a262486792a5c8ef90346ce7545a3ede5194089fef1257bcbbb050efacd5b50b89502289b28533ae5aa600ca5624cd1256cc42f5c8cb445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
192833e694efff568b4f7372ec435274

SHA1
c11a6642020c605d632651dda791a6339353cef5

SHA256
048b03574873425ddac4213b2ed2849a9857af177120a1c4be444051a862711c

SHA512
fa8dd160349638d0483134dae04fefc33a25452a7a44444c905e7527c06bbe51e08e86b15717d43912937a6000e044f52b334cfad2a0dc862846f581cd0b3d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
29de4a58ea876f2d20c4accdae564315

SHA1
ebbbc48cdeb0b8885885e50e48630e1423a8f3b3

SHA256
7208cbb8f9b121f1c3b01d616310b445b18dc209b6c94b6534c1c7c21a89667d

SHA512
831c420b52c833c5f70964c6640a894f3295b80959ba8c37ca655a263e087581052f1bc130067001c51c30b735de8898a307f6c111de615ebb618f0cb95776ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
2c641df4f28582982b18586c7c324d90

SHA1
00820d35061ffa60c5431df8ee04616f99fc9e79

SHA256
ee010a95a64f296b1c72cecdbe4ef685bc57e7f279b25fa7669a1b71ec26c7f1

SHA512
43615ace91b0960eadcf4b99aea38ac44ea370d57369d183d808df2a43aef3f34b2fe4218f90353099badf3bfd9a567bd270d6f6aaa70add46402ecc3fec8d67

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
20723fd80965edbbe87712c8ef740d82

SHA1
f6316c4e13fa5e75ec43ebc041c1186f135cb145

SHA256
6c8ccced973c83ac64a4de671775d965be128d4231af970e2c1c1593d8361866

SHA512
483f60944e296704c01120eb14752e5df9e43e072feff47b4a56b62c3b0401f6f86c758e83a0d0a7c4d2171a241a7dcdb25222b944b974cb2ac3fe6b36f1d43f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
8KB

MD5
3037492631a3d8c70198cde4c45e703e

SHA1
1a35ba129aeb5f3b8c07b990c72de34be8ee97f8

SHA256
3d31f12edb83d69787e6a3182751e464328185a9f5e4b88260695c897039f421

SHA512
b19139e1fb68fd3d04ab24cdb24eef41e7884ba36895b866e6384a59b52eef30792037b3ce57a761412544af800fe9789cef5ad4f56e0a21169724b34bfc9bbc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
99773d40e67758d091186df974e59b85

SHA1
999e593b97281054c888c1991db43464b9a5817c

SHA256
209f3d3397a1dcd16828dffd4c54eba88d4b0ec948d5c16db0aa2e421684fa39

SHA512
53b588e0f066034d1aa5e93b6edff581b970631dd80392ac9bb42111909aac77d28be98880aaeeed96bbccfdaed51cf06832a88fd450dcb9a8cf42b61b07da83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ba9b32a912faa870ad81aa125a2af7f4

SHA1
aba7f527adc0de1c90acd736ef7ad3dfa2816959

SHA256
9dd0e11bbbc06cb0b1873c889e97cbc8b5ab9063c39ba1bbc777f41e7e68dbee

SHA512
6f1918af19990c7bf61167fed66554bbb32456642ac698e590a3060e0a9d47fde3fe6dc52f1186a602fddb5079026cc5939811f1870af58a94e9452ecf461b8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\647aae5c-5a01-4344-aae8-3590becfbe7e

Filesize
26KB

MD5
52e28a31720ee200eba4232066039e2f

SHA1
ae31e9dea6b3d4894499e5e84667c9f0200670de

SHA256
29a547c868abc6f898af4b9ca86aba7883f4e97fb895bc71351aff25b3612652

SHA512
d16c83d93b352009b297b828bc4fc692bc398622f85c173204c44ecf47558788ac3d4d78f58b14019ad91a93ebf89efe16ad7492028efa4fc2692a2d3e92aa96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\7e3b1060-a78b-417d-a2f3-4629a94f66f9

Filesize
671B

MD5
2c990fcc5ab9e0e4984b9de9c8521c76

SHA1
9e911f4a7dcb2050d38464029ae40b1a7d3f7afb

SHA256
3ac940d2e5614d7e9f06375c0a5bfec4a26f80e9dd737a3f0bd4c710d8844128

SHA512
2d81309c5c1fb1c99117923056de3d509e4715b44503543b77db48f225f05a82cb2af415ddd6d17e71ef19ef27e886414db69176378813d7bb1ad0e2154fd65c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\bcb2e0bc-ad02-4658-8024-fe5cb7685165

Filesize
982B

MD5
4004293bbcc3dfb0f36cb1357579c2a2

SHA1
06233eb7b39790aa6ee403151028ab78b915337f

SHA256
427c9a391c601f72097c71c26ae5427e3ca86a6c8046bfd872c4455bc28083c6

SHA512
bc002bd5fc939aea1c7ce9498ae47fac1ed563d4cca7f8fef0d8cb319e37241be579ff23d07d919c6d0cbc9251ebac58a0ca7d81355cca3beb42042e52a71eb7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
10KB

MD5
6f146b63d099efde55f0fefca8604232

SHA1
e428bef7a34f8b38944b2bc450d1941525af806b

SHA256
891467163eeb2f77773110270ed25c66250917dce245b02dae539d64048ad297

SHA512
bc46f1f84e7ac11d22c1087c639a298a6c67ba00a3480dab631e0fea9ab84304b8733001fa782c49d10efa9bce5d450e04c4363451d8c803446ddb0bef55f516

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

Filesize
11KB

MD5
809c6948efebfc370879debe39f99ec9

SHA1
0f6c83331dbde81876735c5734418454e8a6fdbf

SHA256
ddaaaa8ea273aed23a6afaaa9ca3902ff7bbd04b0a747b4586a94e235aced9be

SHA512
e580e1ff31c62858527ff27387dad19c5b34fbebde1524075a5f1df18fa4d8b7fce6114d58b3f67ee60a64aa8b9c730ba59164f4989e138fc903e7635b7b66ec

Download Submit
C:\Users\Admin\Downloads\Ransomware.Petya.zip

Filesize
538KB

MD5
e8fb95ebb7e0db4c68a32947a74b5ff9

SHA1
6f93f85342aa3ea7dcbe69cfb55d48e5027b296c

SHA256
33ca487a65d38bad82dccfa0d076bad071466e4183562d0b1ad1a2e954667fe9

SHA512
a2dea77b0283f4ed987c4de8860a9822bfd030be9c3096cda54f6159a89d461099e58efbc767bb8c04ae21ddd4289da578f8d938d78f30d40f9bca6567087320

Download Submit
memory/4924-464-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-461-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-478-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/4924-466-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/4924-465-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-460-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-417-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/4924-418-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-419-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-421-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-488-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/4924-420-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-422-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-423-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-458-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-459-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/4924-462-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/4924-463-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/5580-832-0x00007FFB01350000-0x00007FFB01606000-memory.dmp

Filesize
2.7MB

Download
memory/5580-839-0x00007FFB04B00000-0x00007FFB04D0B000-memory.dmp

Filesize
2.0MB

Download
memory/5580-847-0x00007FFB04A80000-0x00007FFB04A9B000-memory.dmp

Filesize
108KB

Download
memory/5580-846-0x00007FFB04AA0000-0x00007FFB04AB1000-memory.dmp

Filesize
68KB

Download
memory/5580-845-0x00007FFB04AC0000-0x00007FFB04AD1000-memory.dmp

Filesize
68KB

Download
memory/5580-844-0x00007FFAFC390000-0x00007FFAFD440000-memory.dmp

Filesize
16.7MB

Download
memory/5580-834-0x00007FFB14A10000-0x00007FFB14A27000-memory.dmp

Filesize
92KB

Download
memory/5580-881-0x00007FF7B8D90000-0x00007FF7B8E88000-memory.dmp

Filesize
992KB

Download
memory/5580-883-0x00007FFB01350000-0x00007FFB01606000-memory.dmp

Filesize
2.7MB

Download
memory/5580-882-0x00007FFB13200000-0x00007FFB13234000-memory.dmp

Filesize
208KB

Download
memory/5580-835-0x00007FFB11230000-0x00007FFB11241000-memory.dmp

Filesize
68KB

Download
memory/5580-833-0x00007FFB17880000-0x00007FFB17898000-memory.dmp

Filesize
96KB

Download
memory/5580-884-0x00007FFAFC390000-0x00007FFAFD440000-memory.dmp

Filesize
16.7MB

Download
memory/5580-841-0x00007FFB051B0000-0x00007FFB051D1000-memory.dmp

Filesize
132KB

Download
memory/5580-840-0x00007FFB05050000-0x00007FFB05091000-memory.dmp

Filesize
260KB

Download
memory/5580-842-0x00007FFB04E90000-0x00007FFB04EA8000-memory.dmp

Filesize
96KB

Download
memory/5580-843-0x00007FFB04AE0000-0x00007FFB04AF1000-memory.dmp

Filesize
68KB

Download
memory/5580-836-0x00007FFB05A20000-0x00007FFB05A37000-memory.dmp

Filesize
92KB

Download
memory/5580-837-0x00007FFB05250000-0x00007FFB0526D000-memory.dmp

Filesize
116KB

Download
memory/5580-838-0x00007FFB051E0000-0x00007FFB051F1000-memory.dmp

Filesize
68KB

Download
memory/5580-830-0x00007FF7B8D90000-0x00007FF7B8E88000-memory.dmp

Filesize
992KB

Download
memory/5580-831-0x00007FFB13200000-0x00007FFB13234000-memory.dmp

Filesize
208KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads