Malware Analysis Report

2024-10-19 10:36

Sample ID 230602-tmaalacc75
Target Revil.bin.zip
SHA256 740ad8ea62f10de39e0b794cf6f579f25af1b8d79f859b48ecd41edc1f92cf13
Tags
sodinokibi $2b$13$wz1rerfdlg.aistldqg5jeqqysemspatwkhdwbpwvrc3ty7akscg6 49 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

740ad8ea62f10de39e0b794cf6f579f25af1b8d79f859b48ecd41edc1f92cf13

Threat Level: Known bad

The file Revil.bin.zip was found to be: Known bad.

Malicious Activity Summary

sodinokibi $2b$13$wz1rerfdlg.aistldqg5jeqqysemspatwkhdwbpwvrc3ty7akscg6 49 persistence ransomware

Sodin,Sodinokibi,REvil

Modifies extensions of user files

Enumerates connected drives

Adds Run key to start application

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-02 16:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-02 16:09

Reported

2023-06-02 16:12

Platform

win10-20230220-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Revil.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\InstallConfirm.crw => \??\c:\users\admin\pictures\InstallConfirm.crw.2ag2324 C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mf9lpvbu.bmp" C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\OptimizeSwitch.dib C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\ExpandEnter.htm C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\FormatOpen.ods C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\ExitSend.docx C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\UnprotectGet.3gp2 C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\WriteSkip.wmx C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File created \??\c:\program files\EDGEWATER-README.txt C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File created \??\c:\program files (x86)\EDGEWATER-README.txt C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\JoinConfirm.mp4 C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\MeasureSplit.crw C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\MountPing.tiff C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\RestartUnregister.docx C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\UnpublishRead.htm C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\CompressWrite.potm C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\InvokeConvert.xps C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\SplitResolve.vsdx C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\StepReceive.sql C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\AddImport.otf C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
File opened for modification \??\c:\program files\CompareCompress.mp3 C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133301959018730802" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Revil.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Revil.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3972 wrote to memory of 704 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 704 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3964 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 3784 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3972 wrote to memory of 756 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Revil.exe

"C:\Users\Admin\AppData\Local\Temp\Revil.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EDGEWATER-README.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EDGEWATER-README.txt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd8ef79758,0x7ffd8ef79768,0x7ffd8ef79778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4872 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5264 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5336 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3360 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5476 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=952 --field-trial-handle=1780,i,12341678486027692466,5559525014331841357,131072 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x218

Network

Country Destination Domain Proto
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 46.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 251.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 b.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 ogs.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
DE 172.217.23.195:443 ssl.gstatic.com tcp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
DE 172.217.23.202:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
NL 172.217.168.246:443 i.ytimg.com tcp
US 8.8.8.8:53 246.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.39.98:443 googleads.g.doubleclick.net tcp
DE 172.217.23.202:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.39.251.142.in-addr.arpa udp
NL 142.251.39.98:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.google.nl udp
NL 172.217.168.246:443 i.ytimg.com udp
NL 142.251.36.3:443 www.google.nl tcp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.251.36.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp

Files

memory/4144-119-0x0000000000A40000-0x0000000000A60000-memory.dmp

memory/4144-120-0x0000000000A40000-0x0000000000A60000-memory.dmp

memory/5060-125-0x000002B3D1D30000-0x000002B3D1D52000-memory.dmp

memory/5060-128-0x000002B3D1EE0000-0x000002B3D1F56000-memory.dmp

memory/5060-129-0x000002B3B9B10000-0x000002B3B9B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1mjnnqi.khd.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5060-130-0x000002B3B9B10000-0x000002B3B9B20000-memory.dmp

memory/4144-152-0x0000000000A40000-0x0000000000A60000-memory.dmp

C:\Recovery\EDGEWATER-README.txt

MD5 f87594f8c275e5e55abb2628c853241a
SHA1 8f2bd665dedcc650796d7e9764c6e18cf0740078
SHA256 b7fa2ab2865f0211eefceefb7ee0adf6db7da03427b7ce3e93d3d1cc913c1f46
SHA512 e80143def50b2ec6fbae1809d8194169ee3af21d919bec951318b8f2928d7171cf7d08a897d408e578e2c642de68549e5a59d9b1c060e0ea75efdd10b67a23c5

memory/4144-252-0x0000000000A40000-0x0000000000A60000-memory.dmp

C:\Users\Admin\Desktop\EDGEWATER-README.txt

MD5 f87594f8c275e5e55abb2628c853241a
SHA1 8f2bd665dedcc650796d7e9764c6e18cf0740078
SHA256 b7fa2ab2865f0211eefceefb7ee0adf6db7da03427b7ce3e93d3d1cc913c1f46
SHA512 e80143def50b2ec6fbae1809d8194169ee3af21d919bec951318b8f2928d7171cf7d08a897d408e578e2c642de68549e5a59d9b1c060e0ea75efdd10b67a23c5

memory/4144-561-0x0000000000A40000-0x0000000000A60000-memory.dmp

memory/4144-570-0x0000000000A40000-0x0000000000A60000-memory.dmp

\??\pipe\crashpad_3972_RXYZVMOBFRJDQCGU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c8839ddfd0879105a29b697dea8c35a8
SHA1 887df092f61a592d476c35255821047215c937b9
SHA256 e729a959cd0c3c17798cc5e5b5cb27d3b656a0c6db14c9e3a51f125cc4503a51
SHA512 b32a1bbceac9707cdce17deb78f01d4ae33734de5f2cbffd216cb1ee0afecf80a9784ae1fea3ac7f215e030ba350cde343f3d1eb1986010ab336ec59b1308988

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 07d843d66cf55981719a6a032ee822aa
SHA1 739b99bdf5f9f1b56fc2fa2adb42b9d618569cec
SHA256 f5f33e87d9f3cf86f7acd5f7f6787470ae1c8dfa2922dbdbe7342364d9872d7e
SHA512 16e98ced3ed2497e0b349779e77464d600cf7dc4c35958f84d8a80f590ede8ea17f0a249dcfbdd4ab02a080a96216b7932a3896cc49a62fb8539e775623159eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

MD5 44ec03cb3248c903b67751ea27df310a
SHA1 c57e9cf90caf30457e9d57db750b8a0eb8856770
SHA256 d4de4a836d11828dd561db1eb8d7fd48a7e0ce9afd8645e2eabb19a1267b6894
SHA512 657e8958d97eab524224bbd8903e0bd7d0c2640805f77da7546060164fe03f7b6ece99a005ef44e41b7233a2e24ffc63430b2fe3c87f61a1b26e0d7c7e52c365

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0ef6e5f09304473e9c301bfa117735c1
SHA1 05a940d7993ebdc3c45cce34545d31385fd2f5fe
SHA256 9034bcddea661d00a4ddd374d2986b790752feb3e9a0e31092160e1b9fd70e2b
SHA512 ed2c8c29645bb6486c229c40e812ee6e9b885d4e96345ec6ac77ce284a1b9686b810435c1baedf25c0024d8c3d44ed5dedbf3553aec77ff397184b42b8fc189b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 340a960775d91f0bb353131095748263
SHA1 e41bd5159036de39960ce04cdc87ce06145e2998
SHA256 d5e1c717f6ad617461b2797bd6bcf92bf0390c83edd329c8ab58f42c49fa89f5
SHA512 5baacf89d02593a4a2f9e7a78a3d4ab301287ea64264d9729f9afe2ccde64874551e963849e04b16f5c94073d229903b76740d68fbc21e717c033e510417d95c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d2828adf2270e5b7256dbc04e1c411df
SHA1 58ff0300ed0c2eb0c580b6ea0d1348ee8c579d38
SHA256 9dbfc5d5d6f2d3db3be4a54d0d980eb259f98d5f36e41a1ba77f641afdd291d0
SHA512 4d84404eec7e81d7381e6600dba5cfe2bbec212e30d7e6433208be92e05b0bcb4cbf75a774b67493df3c15b76b48c0958e9cf4d2eb9d007e64b4f28d3394fdad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e63786f01975f8271f16a958477e0738
SHA1 43fc3f6b4c9d505acfa5c936643157f65f10cf65
SHA256 57a132ddbb3faec9b4f68c2ff74cc3d47934893ab7a11f8ded871f1136d8094a
SHA512 faf7bae74d12c1c87785996fc35b5863ee50acd96711d89541c1d2e849c5766e25893337f63c198f359bdb47b92c8ac9b029e7406583e6769907f3cced756ad9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 c899c204a7d34f309210461eb17709be
SHA1 304abe92871946dfbb8ac9d809da1806f68a42cf
SHA256 c1b756a8db518e27e0b827ffd1abdad2c581223ae3804f6f2a27c9d042ea72eb
SHA512 46ee7e007af80390da0f4d7eb3bba49061fbfb9bb6115c3f40d7e5da3fd6316005d6cdf3faedf9777cc310789719d23533c97007a29e1550a9b48da6e5a11101

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 27d332703c2cb6b7874a21ad6c9ee2b1
SHA1 81c4e000746bc63f74af01fd39fd319f47770815
SHA256 aad673587007a5ec27f6b013170e678e190f4c919946ea44c9268a044ce43063
SHA512 82597082be3a3689dea5d113b214ae5687ef7ee48a023d98abb2d79d0759c08990e5980adaa8ac366ff3bf5cc808e5e9182355c67f695ad596fcc78474b84a71

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe588a78.TMP

MD5 16fe36220949a6b402698afe17de28ac
SHA1 a35d9b8d5df79e7650550c6ddaa2b87d4a885ed5
SHA256 f74c3a3121d0957cb2c3212ae58d8eb9455838f69f140813372269f590c7dbb1
SHA512 e6778484fffc73998ae258d21fc8f2df46b8b2673048155252a582593d67a67b9f3eb43367a0a78b6779218b35b56ee6b58246e69dc1bae589bdb03c2d1b401a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 30425431ff17a330c51e90a6ab7d508d
SHA1 cd1c935897d7f4202bd071cb5fb6573ac24bdf9e
SHA256 342291b171fdb2c67e77fc5d4f9b2d678ae5d6ad3a69a6a4295b2f8b8e071435
SHA512 41c08cce7efcf9f697db89a6edaf2c4b6c145e6971d3376286f7dbd16b52df25faa3a5dc7af8bc72a1bb04cc996a80a2de962bfbf75975c8237d73e0c86e8ddb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 056fe1ce2592475e8967aacad5585812
SHA1 697b4a32b2408b20449e118152d463fdc06d1fac
SHA256 b8cc69a8a18e3168529c16c2ddc4fb073ee70f1ebfe43d7ca686da65c1f3ade2
SHA512 006c92835ec1ed5f7cf715e3c6a97612134ea8871a6c74ebfae8190dae58fd2befb2f03bc0a64bf2473ffe08b2abd230a8b61534cbf39b37514da43320b39bee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 acbe208eb56906e4c16f512cae610d70
SHA1 e80c6b3ad3367383958b2bcb308cd078a4eada0f
SHA256 4f124c7e4b6fd4cdfb12986e9bf068aeefa119de9499d361c1e59364a08357b1
SHA512 b3a7aa3370b423dbb5b77a1ecaeddf71db795f39ce19eb6d4d57f2c4962dab17240b127a94b8cf3246d7142b7ab0cfe7d45e24b6f820a07301255ff0a6737991

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 5f616a41b17fac6395a2bf2963578361
SHA1 89b3c24e76cf43353009207d8ec08d2fd7f463de
SHA256 f971c09a483ab2769168706f53af150da996dbae67e3141ac71e0c5154868687
SHA512 b569755cd0451021682daf789341930652849b39709fb43fe6e767664e42047f97b1f91a563c4fcbba020d87fe4fdc2f0b164b446724897d20d6afdce7571325

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a2d3.TMP

MD5 aef7287c848bbc4136c133b38f723378
SHA1 0b6267fdcd703c76224efc1c56a54dcddfb2d959
SHA256 31ff0e7b7d5d92be4059956b48fd87ad331520f9edaba46c25b69c244c9474f0
SHA512 b05ad679d3e132341cd4d0d1b825acee3718ca58e217baca2d4a8bd8eaf9f73cab2a826bc4ba1c5e272cba123811450b69b7cc33675e9000105214936f0fed47

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 d5effb299462dfa25817742b73f54d53
SHA1 2d25ea61dd7e7ccc03fe7af35bc899a7f35f9ff1
SHA256 a7cffe8c42a388f2fd246d1b3514ec20692014d67909783e8a84dfc4b65a8f6e
SHA512 8088f33aaa95bc5bbdc92cb0d7784f1c3ec614092bc2fde36c14991ca0da9b9c5b6baba30dcc1e8b72539d6a97f39694ed0186cb7df82c5e7e638c143f240072

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 c1035f51211c7dfd1ce30a77b0fd4f0e
SHA1 893936af7dc759de32ffb35b037f6bb6fc886e2d
SHA256 5de2dbf86c26b78ee72a838eaeb952fefe84447b29a6f53f0573639317d506ab
SHA512 ba7d4221e18b8ba29c29b8747bc95a8f233af667f6c0ce8a3912bbd4db095ee3379fe2e8f3740888765a2345098ef77fcc62e870d02332afb2fab761516f25d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7261ef43b61fcf0e9a39b1a8f078c04b
SHA1 e64f7876c0572ec9dc51e250bbe433ee00cc55f5
SHA256 20b525b280db2e1727b75bd12b005a7e16d3f08a0fc36b146344dad47f093a8a
SHA512 694bbb50bf06965e94746ad1d268ba341a2b8d0ee4cf24b3a45595597e2dc0c0c28527dd4425f2cd5aeb3c49bfc91b53c06249b20fcc879ce0d4c196f23c978a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 900895265d7537167ab1dc68356c1e50
SHA1 4944eb399986842eaae7e7f2fe7ffdc46ab05f06
SHA256 d65eef5894b8138734a89db4e7414031c0d28a076ab97034d5fcfa34b8abad31
SHA512 b4251baa2afa451de8b0120be0814b2b288301b485be28ea29a76338706b1080adeb5fb2004b030cf52caa1bb9d028071662bbf79d2bb5845dbf2144b20ad7e0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e95138c7-a381-440c-a22a-e716559291c1\index-dir\the-real-index

MD5 8f1d92e20eaebb35441a1d4b9dd79fd9
SHA1 b5adfb102cf83d2d87d09e147136889b059c4d83
SHA256 b7870289ff170e9c7d88f94e08141fefcf0204c02fbedafdb87d315093a83c9a
SHA512 28329f7390034c6b57a074c39e9c6c752d2e2e0b20cb8754beca4dc854ccc8b2b3bbf4f9d6fff12e8f2dc7878a4f5f630ef0ff62cfb04a896d2fa269fa06f55f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d754a7b6-d041-4744-acfa-628ab1fabaaf\index-dir\the-real-index

MD5 83b3609a3dc0b71682f004d2a4deccff
SHA1 c3a9ce3551c19860eb7a58a4ee39634790256191
SHA256 cf19a9477e22c269c3bf01a1c6e6b2db420f6bdfee15d7bdb31b563869eeacfb
SHA512 8b6cdcc91b4f84e7c6b0fd4827fbe7d14e0ec22b9852f2f2c73ed4055640514db9c3a573f9bf5ba07befd043b92090ee8e046563d240690fdf1b3727d4d254e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d754a7b6-d041-4744-acfa-628ab1fabaaf\index-dir\the-real-index~RFe58a2f2.TMP

MD5 7218d149459eafb7336db0b0e01b3e44
SHA1 29ae5f739980aa57542c0ee5f0deac9169154f86
SHA256 30c5aea547c5022a7c9cbb5e17f7cec58720f7b577aee4424168375343509253
SHA512 56b93248b2370f5d97b24c86d4b67b8654c5c0504bd9c7d597006c0985a2cb0447d098275b137b59279a7f9e03d55d12e002ffc5c49a45ce518910078b82e64a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e95138c7-a381-440c-a22a-e716559291c1\index-dir\the-real-index~RFe58a2f2.TMP

MD5 c07a95ff9ce93c3b4db71053a9201e76
SHA1 4c21dbf3dab5f926405da18e570e761ac70b7c5e
SHA256 9f84c393124983fa5d803f585ccdc0b708e4c3baffa6674181493b7f6b559254
SHA512 3b8d1b6d60795a6e910cf017b0bfe0e97acdbcb2c9b3c5e6bbc3a08d42a58d3aae95058e6dca41738ceb80957988bd8384737f2b3dabae71df12fb873f7d2b9b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c84692e8452819536696ecef795da8b2
SHA1 727c995fc0a7be58ac0c11487173590470f1f95c
SHA256 8184beed58e09df06911e7b262cb7ed043915863c2108dfdca2d23c5d1752f2a
SHA512 6b0c2470bfe9f8755feb364844bb49d0c726d88a0baae1a84c8467f30fb4983ca2ff36f958253ee608bee6b55869e47aa0b8a968b2659d8b38aeb4cede37a0c2