Analysis
-
max time kernel
97s -
max time network
73s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
12-06-2023 06:00
Static task
static1
Behavioral task
behavioral1
Sample
Revil.exe
Resource
win10-20230220-en
General
-
Target
Revil.exe
-
Size
119KB
-
MD5
fa8117afd2dbd20513522f2f8e991262
-
SHA1
f7b876edb8fc0c83fd8b665d3c5a1050d4396302
-
SHA256
78b592a2710d81fa91235b445f674ee804db39c8cc34f7e894b4e7b7f6eacaff
-
SHA512
2bab344d136b31cd7c55b7cd0ef1b7718c9952573f3b1478a2efb8211563d7dedacefd4764a7186e15f7de93cc43fa29fc4d2fa61961a14bb12d7bea830e5032
-
SSDEEP
3072:KW5yc3Y4SMQwuOekD96R928AN+/uSxo+HHz/bs/k4OS:K83Y5BAxa92KrxTnz/Y/k4O
Malware Config
Extracted
sodinokibi
$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6
49
-
net
false
-
pid
$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6
-
prc
vsnapvss
EnterpriseClient
firefox
infopath
cvd
tv_x64.exe
VeeamTransportSvc
steam
encsvc
mydesktopservice
outlook
synctime
ocssd
SAP
cvfwd
bengien
vxmon
bedbh
ocomm
ocautoupds
raw_agent_svc
oracle
disk+work
powerpnt
saposcol
sqbcoreservice
sapstartsrv
beserver
saphostexec
dbeng50
isqlplussvc
CVODS
DellSystemDetect
CVMountd
TeamViewer.exe
dbsnmp
thunderbird
mspub
wordpad
visio
benetns
QBCFMonitorService
TeamViewer_Service.exe
tv_w32.exe
QBIDPService
winword
thebat
VeeamDeploymentSvc
avagent
QBDBMgrN
mydesktopqos
xfssvccon
sql
tbirdconfig
CagService
pvlsvr
avscc
VeeamNFSSvc
onenote
excel
msaccess
agntsvc
-
ransom_oneliner
All of your files are encrypted! Find EDGEWATER-README.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have {EXT} extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion When you visit our website, put the following data into the input form: Key: {KEY} !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!
-
sub
49
-
svc
QBCFMonitorService
thebat
dbeng50
winword
dbsnmp
VeeamTransportSvc
disk+work
TeamViewer_Service.exe
firefox
QBIDPService
steam
onenote
CVMountd
cvd
VeeamDeploymentSvc
VeeamNFSSvc
bedbh
mydesktopqos
avscc
infopath
cvfwd
excel
beserver
powerpnt
mspub
synctime
QBDBMgrN
tv_w32.exe
EnterpriseClient
msaccess
ocssd
mydesktopservice
sqbcoreservice
CVODS
DellSystemDetect
oracle
ocautoupds
wordpad
visio
SAP
bengien
TeamViewer.exe
agntsvc
CagService
avagent
ocomm
outlook
saposcol
xfssvccon
isqlplussvc
pvlsvr
sql
tbirdconfig
vxmon
benetns
tv_x64.exe
encsvc
sapstartsrv
vsnapvss
raw_agent_svc
thunderbird
saphostexec
Extracted
C:\Recovery\EDGEWATER-README.txt
http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Revil.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareResume.tiff => \??\c:\users\admin\pictures\CompareResume.tiff.58352m Revil.exe File renamed C:\Users\Admin\Pictures\LockPop.tiff => \??\c:\users\admin\pictures\LockPop.tiff.58352m Revil.exe File renamed C:\Users\Admin\Pictures\UndoUnblock.crw => \??\c:\users\admin\pictures\UndoUnblock.crw.58352m Revil.exe File renamed C:\Users\Admin\Pictures\SubmitSuspend.tif => \??\c:\users\admin\pictures\SubmitSuspend.tif.58352m Revil.exe File renamed C:\Users\Admin\Pictures\DebugDisconnect.raw => \??\c:\users\admin\pictures\DebugDisconnect.raw.58352m Revil.exe File opened for modification \??\c:\users\admin\pictures\CompareResume.tiff Revil.exe File opened for modification \??\c:\users\admin\pictures\LockPop.tiff Revil.exe File renamed C:\Users\Admin\Pictures\CompareSuspend.crw => \??\c:\users\admin\pictures\CompareSuspend.crw.58352m Revil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Revil.exedescription ioc process File opened (read-only) \??\B: Revil.exe File opened (read-only) \??\J: Revil.exe File opened (read-only) \??\P: Revil.exe File opened (read-only) \??\X: Revil.exe File opened (read-only) \??\W: Revil.exe File opened (read-only) \??\G: Revil.exe File opened (read-only) \??\K: Revil.exe File opened (read-only) \??\M: Revil.exe File opened (read-only) \??\N: Revil.exe File opened (read-only) \??\O: Revil.exe File opened (read-only) \??\R: Revil.exe File opened (read-only) \??\T: Revil.exe File opened (read-only) \??\Y: Revil.exe File opened (read-only) \??\H: Revil.exe File opened (read-only) \??\L: Revil.exe File opened (read-only) \??\Q: Revil.exe File opened (read-only) \??\S: Revil.exe File opened (read-only) \??\Z: Revil.exe File opened (read-only) \??\D: Revil.exe File opened (read-only) \??\A: Revil.exe File opened (read-only) \??\E: Revil.exe File opened (read-only) \??\F: Revil.exe File opened (read-only) \??\I: Revil.exe File opened (read-only) \??\U: Revil.exe File opened (read-only) \??\V: Revil.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Revil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\k4yla0n.bmp" Revil.exe -
Drops file in Program Files directory 22 IoCs
Processes:
Revil.exedescription ioc process File opened for modification \??\c:\program files\NewConnect.temp Revil.exe File opened for modification \??\c:\program files\StartLock.html Revil.exe File opened for modification \??\c:\program files\WatchSkip.eps Revil.exe File opened for modification \??\c:\program files\ReceiveApprove.DVR Revil.exe File opened for modification \??\c:\program files\RenameComplete.asp Revil.exe File opened for modification \??\c:\program files\ShowUpdate.tif Revil.exe File opened for modification \??\c:\program files\TestPop.mp3 Revil.exe File opened for modification \??\c:\program files\WatchStep.wma Revil.exe File opened for modification \??\c:\program files\UnregisterResize.ppt Revil.exe File created \??\c:\program files (x86)\EDGEWATER-README.txt Revil.exe File opened for modification \??\c:\program files\ConvertFromPing.ppsm Revil.exe File opened for modification \??\c:\program files\RegisterSkip.mht Revil.exe File opened for modification \??\c:\program files\RepairRestart.dot Revil.exe File opened for modification \??\c:\program files\ResizeAssert.ttc Revil.exe File opened for modification \??\c:\program files\SwitchGroup.clr Revil.exe File opened for modification \??\c:\program files\UnprotectSend.TS Revil.exe File created \??\c:\program files\EDGEWATER-README.txt Revil.exe File opened for modification \??\c:\program files\ConvertFromLock.eps Revil.exe File opened for modification \??\c:\program files\DismountExpand.mpp Revil.exe File opened for modification \??\c:\program files\DismountMount.vsdx Revil.exe File opened for modification \??\c:\program files\PingCompare.asp Revil.exe File opened for modification \??\c:\program files\ShowGrant.emf Revil.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133310232407606957" chrome.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Revil.exepowershell.exechrome.exepid process 2256 Revil.exe 2256 Revil.exe 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 4300 chrome.exe 4300 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid process 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Revil.exepowershell.exevssvc.exechrome.exedescription pid process Token: SeDebugPrivilege 2256 Revil.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeBackupPrivilege 3684 vssvc.exe Token: SeRestorePrivilege 3684 vssvc.exe Token: SeAuditPrivilege 3684 vssvc.exe Token: SeTakeOwnershipPrivilege 2256 Revil.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid process 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Revil.exechrome.exedescription pid process target process PID 2256 wrote to memory of 4304 2256 Revil.exe powershell.exe PID 2256 wrote to memory of 4304 2256 Revil.exe powershell.exe PID 4300 wrote to memory of 1940 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 1940 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4692 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4720 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4720 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe PID 4300 wrote to memory of 4676 4300 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revil.exe"C:\Users\Admin\AppData\Local\Temp\Revil.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1760
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff8560c9758,0x7ff8560c9768,0x7ff8560c97782⤵PID:1940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:82⤵PID:4720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:22⤵PID:4692
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1748 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:82⤵PID:4676
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:12⤵PID:3348
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:12⤵PID:3416
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:12⤵PID:5116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:82⤵PID:1592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3560 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:82⤵PID:2152
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:82⤵PID:4056
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:82⤵PID:2084
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:82⤵PID:1364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4744 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:12⤵PID:280
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3748 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:12⤵PID:1236
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5328 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:12⤵PID:1592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5404 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:82⤵PID:4136
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3140 --field-trial-handle=1780,i,2413126401063049876,10184899413953443883,131072 /prefetch:82⤵PID:4272
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:5112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\EDGEWATER-README.txtFilesize
5KB
MD5c9c291c7b04117eaf5df845a1ce63c02
SHA10a8f31cb67966a2c0779234e4c08f7acbb62c4aa
SHA2562bc61fd78488a5df40871756ff4017150506da3f794e3eaa92f776fc359b0c5c
SHA51282693822157e7b95e9673f38d49a2e97b05a18dec034232100adb0fe9fe39289051aae7a3149792b27b060813717431fb78356f243d3d1961c6ee98f69725d52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000dFilesize
37KB
MD55b0c0d429185ff30e04c93f67116d98f
SHA18eb3286fe16a5bee5a0164b131bc534fd131f250
SHA256f1a0b957050b529afc0e94c436976326124ed8968183859c413986487623294d
SHA5126295bcd662325172b15c476d26f23c8794c4f1454e0e8cfd43bca79b45aa03e1ae721ebdada1c52fe7699027fa97699156280ff259ce3cc476e322ccc0337902
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
576B
MD5df8220b0f034ff3f5558f271a847b932
SHA1477eaa7207f3732435803238dd2c27c5174ddbc1
SHA2562c7cfe689b7705dfff31d2b1be24ebf0830f0f9454fbf5941fc6e3d1bef5b575
SHA5122f38e620f306865ab547903a5e6567be28fa93ae9d540f0edc7b753d242239884311425e20e4e7e8c086ac4538811b3ed73538cabf61b92847e7b924afc3eabc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD512d9db6f225bc226eaa7b43f40d80489
SHA1416cb52152b60881824a81f66f90cf957a396e20
SHA2561c66bfda862381ccd091ef894da644bbf3edb5ac51e576d1ebf92d9f341ea6df
SHA512346fdcedde191c61f248d40e80b2b872da6114779ef8579d300479bd4e3a6bf70d37ff59763905ab21726ba961d61165e490a7c41384a80af7829a3ad2f2f429
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
371B
MD54057583905d8765e90678ec0a47fbc13
SHA18bb79cd772db03e56ae3151f24e68cb4675fff5d
SHA2562605cbe3977b0e033f9175012ffa428bda1a6429201eab15a1540ef3b9e7df10
SHA5120de455bb3567530f20a359e646fd93204ab37012502cf1548ed52e6eb9134b91f7d15c1378ac63d463fa764bb3535e587a86da7ef403443873d9ad8dc223dc3f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
371B
MD5c3bf5d4749516831b43e255b9d0944f2
SHA1ea3f84f1ed37ff7f634c26be68943d402cf6bc33
SHA256ebe62ad1c3bfe9cd8830709149f765b45a452b35a246034a3ff56594e3c097a9
SHA512e0048f23f0ec0bfd6fee09e9aeca8831a9e0f8759b0daf3167ed9cd927451a5fee93052a3f1c6ea7ea34b754f35ef5d5d8af54adc43042da1edfc10ee182ef28
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
371B
MD5edfec73e0dfbd996751379ccff92884a
SHA1d496f55b68364b1e3453d2ab780fac0d519d06e8
SHA2562eec765faf64973a6cd560822749fdc10a4d012a3273ca9b8eec2082eb96723f
SHA5121ff87a76341de381b3f96a5a55e722cccced4bdaf6e0372b0402534343b867d4e3c6f77f69531f878e15d931abd1e97be1f2f64c85b26544405bc49bc01598b7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD53a146e5761654d70fc925a5f4be68ca6
SHA1311ada493d313234d1e6740d4c7a85452e60e88e
SHA256782da9011f995082e8df1b41c9e1771671818ed56625a58fcc1d45ef8f0ccb84
SHA512cdd7f9bfc48418d20a8e45b5f2ac6a34f069ff04658b21110a8fbb8191f9c608330fdfa5314be22ce888049a0f1467c77c66554843bc0406119aadc65fd26357
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD50ddaa9469161cffca8a9d84efec7ee35
SHA19f1d690e42c5696179c4310d3efe42bd5796c640
SHA2566c36b9003dfb0bd8f6b3db3121e535cdac0606764abfe6b43123776de6ad1c7a
SHA5122b729c76f9145987b37bb8f5d5f9fe2a07bde31afebf63ee9cbad8bc1f8e09ebb6a5adb0307ad250f762f7fa58d5cc4b56805f8b9a9b0bbe8496aa8fbde30482
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD554b0859094d50451906ad13f3969cb23
SHA1e7945a119ae3ef8250d17c6e38c207bb41f309fc
SHA2567a9b552ae213428a3397716432d845a7c8f2d2a78acbf728fecb96f6197ccaf2
SHA512f6a0c36cd54c2ac17cb925738fb018eaed6f629dde6d11a7496480e3c909967b82bf940ad7e74f3c25d619c26c6518bb5e7b326cd23c65499742ba3d78ca4099
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
12KB
MD538cd4514e5423987fc2c978db42a8c3d
SHA14647199f1c45c5e13741f9ff04d1ec3a884bbfa0
SHA2560b9a072b487c861c207fce1a4b3497292093967cc671a64846f0fb7c1f90c2c1
SHA51205b44672246a21e5329fc1efb016c304d9bff49dbd56f730ce69a718d282954363ec99b04fc9f08ef764360a63c5c73d4a712709a5c74e4bbe1d6e2105988fc5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
159KB
MD5b22f82d724d1fb7a99c74103cea6f841
SHA1f16e4734b5d3a01eae383dad9d10d9d9e2e63abe
SHA2567baedbbb800a80949edad4e2fd3a1805b9fb586c62cf9d3b3710b186da15a906
SHA51286117ddc16b9195d383e6bb6c1af9d9ddbce7215b8a8d74d1d57c108262e12989878d673cc04afc81341e08efc6c22d7f4d71eba84659cc3b1b45675572ebfbc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
159KB
MD5ac12bb2786d55237c0b43a3dfc3c70f2
SHA10682ebed24e0a2e3979e379b6019eee1c119bd3c
SHA25624cfeb778a2eec5368e7ed33767a8e01f263614ba5da13ae8c7c9cb6a299a7e4
SHA51288648efbcf7516c83af64ec63f18848143bfbef304d75e208a3e7d75a5645c5a98998976a3a1b9a2f7d6bf71ff431200667b8dc41608ed16282aced9cf84a8e0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34faezvk.wti.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
\??\pipe\crashpad_4300_ULBANREZBYPIBYZIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2256-631-0x0000000001220000-0x0000000001240000-memory.dmpFilesize
128KB
-
memory/2256-160-0x0000000001220000-0x0000000001240000-memory.dmpFilesize
128KB
-
memory/2256-675-0x0000000001220000-0x0000000001240000-memory.dmpFilesize
128KB
-
memory/2256-116-0x0000000001220000-0x0000000001240000-memory.dmpFilesize
128KB
-
memory/2256-283-0x0000000001220000-0x0000000001240000-memory.dmpFilesize
128KB
-
memory/2256-117-0x0000000001220000-0x0000000001240000-memory.dmpFilesize
128KB
-
memory/4304-127-0x0000017F79920000-0x0000017F79996000-memory.dmpFilesize
472KB
-
memory/4304-124-0x0000017F79700000-0x0000017F79722000-memory.dmpFilesize
136KB
-
memory/4304-123-0x0000017F79790000-0x0000017F797A0000-memory.dmpFilesize
64KB
-
memory/4304-122-0x0000017F79790000-0x0000017F797A0000-memory.dmpFilesize
64KB