Analysis
-
max time kernel
93s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-01-2022 04:08
Static task
static1
Behavioral task
behavioral1
Sample
REvil_07_04_2021_121KB.exe
Resource
win10v2004-en-20220113
General
-
Target
REvil_07_04_2021_121KB.exe
-
Size
120KB
-
MD5
726d948d365cb9db1dfd84a30203a642
-
SHA1
78ed4bcf9c0aca8d14b25da2e679a91c48dd6797
-
SHA256
d74f04f0b948d9586629e06e2a2a21bdf20d678e47058afb637414eb3701c1f6
-
SHA512
bd17f2b265c30f0d9ddc60e01026f21ad6b6355f68b762b14b3e8882a90de0a20970f77105a2515a7cb4a0d1429f3a70cdf40d4247384592d36da6f2907a690a
Malware Config
Extracted
C:\6940r65b-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/89829C75164FEAA2
http://decoder.re/89829C75164FEAA2
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Advanced_IP_Scanner_2.5.3850.exepid process 4588 Advanced_IP_Scanner_2.5.3850.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
REvil_07_04_2021_121KB.exedescription ioc process File renamed C:\Users\Admin\Pictures\CheckpointSend.png => \??\c:\users\admin\pictures\CheckpointSend.png.6940r65b REvil_07_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\RestoreSelect.png => \??\c:\users\admin\pictures\RestoreSelect.png.6940r65b REvil_07_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\ResumeSend.png => \??\c:\users\admin\pictures\ResumeSend.png.6940r65b REvil_07_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\UnprotectInvoke.raw => \??\c:\users\admin\pictures\UnprotectInvoke.raw.6940r65b REvil_07_04_2021_121KB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
REvil_07_04_2021_121KB.exedescription ioc process File opened (read-only) \??\A: REvil_07_04_2021_121KB.exe File opened (read-only) \??\B: REvil_07_04_2021_121KB.exe File opened (read-only) \??\H: REvil_07_04_2021_121KB.exe File opened (read-only) \??\J: REvil_07_04_2021_121KB.exe File opened (read-only) \??\L: REvil_07_04_2021_121KB.exe File opened (read-only) \??\M: REvil_07_04_2021_121KB.exe File opened (read-only) \??\P: REvil_07_04_2021_121KB.exe File opened (read-only) \??\T: REvil_07_04_2021_121KB.exe File opened (read-only) \??\U: REvil_07_04_2021_121KB.exe File opened (read-only) \??\X: REvil_07_04_2021_121KB.exe File opened (read-only) \??\D: REvil_07_04_2021_121KB.exe File opened (read-only) \??\K: REvil_07_04_2021_121KB.exe File opened (read-only) \??\Q: REvil_07_04_2021_121KB.exe File opened (read-only) \??\R: REvil_07_04_2021_121KB.exe File opened (read-only) \??\S: REvil_07_04_2021_121KB.exe File opened (read-only) \??\G: REvil_07_04_2021_121KB.exe File opened (read-only) \??\I: REvil_07_04_2021_121KB.exe File opened (read-only) \??\O: REvil_07_04_2021_121KB.exe File opened (read-only) \??\V: REvil_07_04_2021_121KB.exe File opened (read-only) \??\W: REvil_07_04_2021_121KB.exe File opened (read-only) \??\Z: REvil_07_04_2021_121KB.exe File opened (read-only) \??\E: REvil_07_04_2021_121KB.exe File opened (read-only) \??\F: REvil_07_04_2021_121KB.exe File opened (read-only) \??\N: REvil_07_04_2021_121KB.exe File opened (read-only) \??\Y: REvil_07_04_2021_121KB.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
REvil_07_04_2021_121KB.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3i18fcmk.bmp" REvil_07_04_2021_121KB.exe -
Drops file in Program Files directory 23 IoCs
Processes:
REvil_07_04_2021_121KB.exedescription ioc process File opened for modification \??\c:\program files\ConvertSubmit.dotx REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\DisconnectOptimize.nfo REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\GroupSelect.wmv REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\InstallDisconnect.xml REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\SyncHide.pdf REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\UnpublishSwitch.jtx REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\UpdateGroup.rtf REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\AssertMount.xlsm REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\InstallRemove.vsdm REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\RepairMeasure.xls REvil_07_04_2021_121KB.exe File created \??\c:\program files (x86)\6940r65b-readme.txt REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\ConvertToExport.snd REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\DisconnectConfirm.html REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\DisconnectReset.xlsm REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\MeasureSkip.xhtml REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\RegisterConvertTo.odt REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\SkipGet.mpeg REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\StartConvert.doc REvil_07_04_2021_121KB.exe File created \??\c:\program files\6940r65b-readme.txt REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\DismountFind.jpe REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\PopCopy.ram REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\SelectRename.mht REvil_07_04_2021_121KB.exe File opened for modification \??\c:\program files\StartCheckpoint.dotm REvil_07_04_2021_121KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4472 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
REvil_07_04_2021_121KB.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2980 REvil_07_04_2021_121KB.exe 2980 REvil_07_04_2021_121KB.exe 2108 chrome.exe 2108 chrome.exe 3528 chrome.exe 3528 chrome.exe 2980 REvil_07_04_2021_121KB.exe 2980 REvil_07_04_2021_121KB.exe 4876 chrome.exe 4876 chrome.exe 5052 chrome.exe 5052 chrome.exe 464 chrome.exe 464 chrome.exe 1728 chrome.exe 1728 chrome.exe 1504 chrome.exe 1504 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
chrome.exepid process 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
REvil_07_04_2021_121KB.exevssvc.exedescription pid process Token: SeDebugPrivilege 2980 REvil_07_04_2021_121KB.exe Token: SeTakeOwnershipPrivilege 2980 REvil_07_04_2021_121KB.exe Token: SeBackupPrivilege 3228 vssvc.exe Token: SeRestorePrivilege 3228 vssvc.exe Token: SeAuditPrivilege 3228 vssvc.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
chrome.exepid process 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe 3528 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
TextInputHost.exepid process 2400 TextInputHost.exe 2400 TextInputHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 3528 wrote to memory of 752 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 752 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3664 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 2108 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 2108 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe PID 3528 wrote to memory of 3232 3528 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REvil_07_04_2021_121KB.exe"C:\Users\Admin\AppData\Local\Temp\REvil_07_04_2021_121KB.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xc0,0x108,0x7ff8d5434f50,0x7ff8d5434f60,0x7ff8d5434f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1964 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2340 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5212 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4400 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3036 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5208 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2084 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,11930103575164726814,11059707830032893975,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3160 /prefetch:82⤵
-
C:\Users\Admin\Downloads\Advanced_IP_Scanner_2.5.3850.exe"C:\Users\Admin\Downloads\Advanced_IP_Scanner_2.5.3850.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
7bd7cb2ee623db5effb11919a9366f15
SHA13070a4ddd03b67d5b3cf7137c40866be2cebff63
SHA256f1cb00994c79572be4d7fb91e38c2ff65227ded8166b68c1c2f1272f3f6cd43f
SHA51296a957f29bf40bd818edfdb4ba70f8f0a8275e0374b9c7ae21eebc8fd8f4d290d7366d5a492ec0d99d9ad456eb852083b0bc50aa0677f4271277160c09af51fc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGMD5
15acf9d718c03a79e776c0d4cc36e5dc
SHA10edd4825652aa67dcac6660ded5f8849348bdf1b
SHA25648450b06cf22baee74421463efe0a12c206f7f7a2d4a48aadbe9f28f0ad6686d
SHA512e524c5a6e266edae731d41a5f7b737888a9ae7cbc0972df688707c1725e6477cbff0b1718b86d2c2fc83d9c088d450d7166e3bc2d3a9bca55525c1d64501b916
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOGMD5
c908b0a57af1595b5c40c230bbc5f983
SHA12358ef05ac67c203e349ccd4f72b0408442e0792
SHA256724ddeb7810089fe568ddceb141fbea1f26dbfcffa404690b49d1f430e4019cd
SHA51213122c70937efde53572081d2c0eebb4123b9c406d6ab95a91a55766a80f6d1cb479bcff8308d3415529b95624bedcac1939b6caab4fb930053a5fd3f4212174
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logMD5
0d9f70652007603a81c7847dc3cee8da
SHA14a7c8341cfd657f31314690bfd9bd8f51030c5b5
SHA256a705d9d26ed11df2f38e6c25557ccb83916b8598fe92d2ad25868f9ae89844f7
SHA51227e34f4b5077a9bb58f30d2447c43d2ae877495bda975b33f405d5d08d03a009bf67bd24abcf70838934f17f1ec66ed1b98429ad96997cae68d0f1e0bf9ea4cc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOGMD5
2c0f027a1c202a3b782083e6e5dacee8
SHA13d99c4d78cef49e42e40c67f4fa0ab310d4077b1
SHA25674e1ee309549460c879fe4ddaa6e059bae6b0ba644d4a335b4290e85e7253e62
SHA512c852638301bcc9db3e7a8a53c0df7b8432458773c9a28430788ddcc0c772eac45f87e0c2a53055cf29a58fee585c5417c69299fe5c8eeabaec124b5ce46df7c7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Trust TokensMD5
43f06b0ad880f55e7a1c011072e643b3
SHA112f8734a47346647f92ff769c91a7ec5c63ee648
SHA256ec9199fbe747bf8c1a20865bd553017277777a6035497c92b17cb758ce2aee0f
SHA51291b020d508f814bc80add0d0423cc98010c5cb696e744e09219748db4d2b6f4a8f701b619e9832fdedf91e5d7dbbc2cd78cb75c57f9c5a06707b1dc47ceaf987
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Trust Tokens-journalMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last VersionMD5
b63048c4e7e52c52053d25da30d9c5ab
SHA1679a44d402f5ec24605719e06459f5a707989187
SHA256389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1
SHA512e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.aclMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.excMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\Downloads\Advanced_IP_Scanner_2.5.3850.exeMD5
564f1b6f045b8be4df8f048dadffac41
SHA178344820b68d77e20af12121d188eb1a2cda5e24
SHA256d7f76926fb4b12d73a7970051ee16a243eb80f894626992ab290cb928a23da4c
SHA512b06270b881154f4dfb4d8e647bd70925627dcb10642eb7de39378e74f937301247c07d40b0f28bc72281fbb30b1c55ad4a804459dd0fdfa5b48b59f5c0ccc118
-
C:\Users\Admin\Downloads\Advanced_IP_Scanner_2.5.3850.exeMD5
035ae8ab4056389eb2e7fdac24a8d282
SHA18e3e0f0dbc2da5de5daa248c0f9b0da7102dbc1d
SHA2562a20133b0856a43549456e023d9935c6b0ffb280809e39658e0e98f9d300c955
SHA512c7591aa5cc3fba1020bff5da8cf41b0f04dab5792af943df3001d5ad4624ab534d3dda954a8a3850fe95376e51b1225d50839dd480358fbb9843dc3765149dc0
-
\??\pipe\crashpad_3528_DYVJETJFYXMNIHQAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e