Analysis
-
max time kernel
39s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 18:09
Behavioral task
behavioral1
Sample
test123.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
test123.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
28 signatures
150 seconds
General
-
Target
test123.exe
-
Size
397KB
-
MD5
ac5a257992599ba6e64e705cff27a671
-
SHA1
15854c4b735880e0aa384e85f306e4adf67140f5
-
SHA256
4fba7c66c4fedc46793a324e514b073635a54ab72f9af9685b88c29297168de3
-
SHA512
9af441aeb9fd4860aa3aa11ceefe68520f79b8e40a9be45f0ae37c2910ff52647c1299975ea1ba77e84d905fd46ab448971b1135b122496ffae55221ac9f3f66
-
SSDEEP
12288:D92GgykqXIBXPtrJwZvXO/6hVGhGIcVO+HGgIOXK:R7sL
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\read_it.txt
Family
chaos
Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.1473766 BTC
Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/3728-1-0x0000000000850000-0x00000000008BA000-memory.dmp family_chaos behavioral2/files/0x0008000000023c98-6.dat family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1168 bcdedit.exe 2040 bcdedit.exe -
pid Process 1004 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation test123.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3604 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\darwplcq3.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2540 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2740 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3604 svchost.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3728 test123.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 3604 svchost.exe 4668 chrome.exe 4668 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
description pid Process Token: SeDebugPrivilege 3728 test123.exe Token: SeDebugPrivilege 3604 svchost.exe Token: SeBackupPrivilege 1788 vssvc.exe Token: SeRestorePrivilege 1788 vssvc.exe Token: SeAuditPrivilege 1788 vssvc.exe Token: SeIncreaseQuotaPrivilege 3216 WMIC.exe Token: SeSecurityPrivilege 3216 WMIC.exe Token: SeTakeOwnershipPrivilege 3216 WMIC.exe Token: SeLoadDriverPrivilege 3216 WMIC.exe Token: SeSystemProfilePrivilege 3216 WMIC.exe Token: SeSystemtimePrivilege 3216 WMIC.exe Token: SeProfSingleProcessPrivilege 3216 WMIC.exe Token: SeIncBasePriorityPrivilege 3216 WMIC.exe Token: SeCreatePagefilePrivilege 3216 WMIC.exe Token: SeBackupPrivilege 3216 WMIC.exe Token: SeRestorePrivilege 3216 WMIC.exe Token: SeShutdownPrivilege 3216 WMIC.exe Token: SeDebugPrivilege 3216 WMIC.exe Token: SeSystemEnvironmentPrivilege 3216 WMIC.exe Token: SeRemoteShutdownPrivilege 3216 WMIC.exe Token: SeUndockPrivilege 3216 WMIC.exe Token: SeManageVolumePrivilege 3216 WMIC.exe Token: 33 3216 WMIC.exe Token: 34 3216 WMIC.exe Token: 35 3216 WMIC.exe Token: 36 3216 WMIC.exe Token: SeIncreaseQuotaPrivilege 3216 WMIC.exe Token: SeSecurityPrivilege 3216 WMIC.exe Token: SeTakeOwnershipPrivilege 3216 WMIC.exe Token: SeLoadDriverPrivilege 3216 WMIC.exe Token: SeSystemProfilePrivilege 3216 WMIC.exe Token: SeSystemtimePrivilege 3216 WMIC.exe Token: SeProfSingleProcessPrivilege 3216 WMIC.exe Token: SeIncBasePriorityPrivilege 3216 WMIC.exe Token: SeCreatePagefilePrivilege 3216 WMIC.exe Token: SeBackupPrivilege 3216 WMIC.exe Token: SeRestorePrivilege 3216 WMIC.exe Token: SeShutdownPrivilege 3216 WMIC.exe Token: SeDebugPrivilege 3216 WMIC.exe Token: SeSystemEnvironmentPrivilege 3216 WMIC.exe Token: SeRemoteShutdownPrivilege 3216 WMIC.exe Token: SeUndockPrivilege 3216 WMIC.exe Token: SeManageVolumePrivilege 3216 WMIC.exe Token: 33 3216 WMIC.exe Token: 34 3216 WMIC.exe Token: 35 3216 WMIC.exe Token: 36 3216 WMIC.exe Token: SeBackupPrivilege 2032 wbengine.exe Token: SeRestorePrivilege 2032 wbengine.exe Token: SeSecurityPrivilege 2032 wbengine.exe Token: SeShutdownPrivilege 4668 chrome.exe Token: SeCreatePagefilePrivilege 4668 chrome.exe Token: SeShutdownPrivilege 4668 chrome.exe Token: SeCreatePagefilePrivilege 4668 chrome.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 2740 NOTEPAD.EXE -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe 4668 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 3604 3728 test123.exe 83 PID 3728 wrote to memory of 3604 3728 test123.exe 83 PID 3604 wrote to memory of 4648 3604 svchost.exe 84 PID 3604 wrote to memory of 4648 3604 svchost.exe 84 PID 4648 wrote to memory of 2540 4648 cmd.exe 86 PID 4648 wrote to memory of 2540 4648 cmd.exe 86 PID 4648 wrote to memory of 3216 4648 cmd.exe 89 PID 4648 wrote to memory of 3216 4648 cmd.exe 89 PID 3604 wrote to memory of 3472 3604 svchost.exe 91 PID 3604 wrote to memory of 3472 3604 svchost.exe 91 PID 3472 wrote to memory of 1168 3472 cmd.exe 93 PID 3472 wrote to memory of 1168 3472 cmd.exe 93 PID 3472 wrote to memory of 2040 3472 cmd.exe 94 PID 3472 wrote to memory of 2040 3472 cmd.exe 94 PID 3604 wrote to memory of 324 3604 svchost.exe 95 PID 3604 wrote to memory of 324 3604 svchost.exe 95 PID 324 wrote to memory of 1004 324 cmd.exe 97 PID 324 wrote to memory of 1004 324 cmd.exe 97 PID 3604 wrote to memory of 2740 3604 svchost.exe 102 PID 3604 wrote to memory of 2740 3604 svchost.exe 102 PID 4668 wrote to memory of 2628 4668 chrome.exe 109 PID 4668 wrote to memory of 2628 4668 chrome.exe 109 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 4420 4668 chrome.exe 111 PID 4668 wrote to memory of 1452 4668 chrome.exe 112 PID 4668 wrote to memory of 1452 4668 chrome.exe 112 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 PID 4668 wrote to memory of 3532 4668 chrome.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test123.exe"C:\Users\Admin\AppData\Local\Temp\test123.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2540
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3216
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1168
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1004
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2740
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3688
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2412
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdccf3cc40,0x7ffdccf3cc4c,0x7ffdccf3cc582⤵PID:2628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,14625110282041563628,12954531971387689785,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:22⤵PID:4420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,14625110282041563628,12954531971387689785,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:32⤵PID:1452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,14625110282041563628,12954531971387689785,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2476 /prefetch:82⤵PID:3532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,14625110282041563628,12954531971387689785,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:4892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,14625110282041563628,12954531971387689785,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:4840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,14625110282041563628,12954531971387689785,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:12⤵PID:5044
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2264
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e50da21f39d8d8cff2fdbc8afed2ffb9
SHA17b00ff684fa3127d7bbbcac37cc3977556197e87
SHA2567953223dd7255669dd75d9810bce67580351efa7b21ab9bdfb2d373b1acd7d7f
SHA512d268dce4ad2e561a536a70fef0b46a066cf6c47489df5d4aa36affe1d4dba2500b2e73b5497b5df91e22341a152c69e27907295d54fc26ab77473b41abfa4faf
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD549a1faddb7876b3a8b7403aad723278e
SHA1296de96c3e76e7fb7a1b50ca807e161e3d4f9829
SHA25690cc0c4de038744000cd7a2c8cb19bde8e4b92a94dd0a4ae240970ef1ec5db18
SHA5122a8a9ac5b4cccb958caed307c8d5d48b080f6c71590762bb38f50de6e6ce5bdc3b961ed91fe41f87070936a10ed33205477867f75ac9a742b3ee0580c75e0e22
-
Filesize
8KB
MD592d8fcb4041298ceee6ff2f6ff1e7fac
SHA17b4abb380017cab4607b44e2b69d65580f6426b1
SHA2566d171aa900c9d84f9ab16c01ae87130e5854f29e92cab7e8a5aaa3dd412af614
SHA512d1ae2c57be85560a0b0ad9f7804fe0d003395da3f4b8f137487688e06ac724c10b2bd7b30064cdf4d91250399341bc1b9226c6e64e545c6ab7aee4cf95158d53
-
Filesize
116KB
MD571f93d7c07bb26f2977cbeb1b3ec15de
SHA1bed50741bb41edd204ece76509ca6182a1450033
SHA2563fccb62d2c58342e50e6ff0f35e8657201f33af1b76a8119eac7a88131d8b839
SHA512a8a914c5c68ae3902151e40dad192460edbef38a6270a6f0c662e711ca4e23d9c74e9599b3a74ef371c66d6261e241cdbd86ab3b3ea4dfe02f755667ee31fe92
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
397KB
MD5ac5a257992599ba6e64e705cff27a671
SHA115854c4b735880e0aa384e85f306e4adf67140f5
SHA2564fba7c66c4fedc46793a324e514b073635a54ab72f9af9685b88c29297168de3
SHA5129af441aeb9fd4860aa3aa11ceefe68520f79b8e40a9be45f0ae37c2910ff52647c1299975ea1ba77e84d905fd46ab448971b1135b122496ffae55221ac9f3f66
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740