sodinokibi | d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c

Resubmissions

06-08-2023 21:23

230806-z8rpnacd47 10

06-08-2023 17:44

230806-wa5xvacf9s 10

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2023 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Size

164KB
MD5

6b391f91c63765876e2571e87fe46575
SHA1

d508632ca452af6325c06434b29883cfa55d7948
SHA256

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c
SHA512

2e1c522393b137d7847c405cdaa735a4255fde534c8006460ef1a984eacc135fd8668fbd756d06b9011299911c2fd57c1a9112d01c046ebe8c98058b1abfae34
SSDEEP

3072:pEa2d8CfSXceqmPDu7lvspW0kAo0BQhyI0hQMnnsJ:5CqlPDuBkJpoQQgdnns

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Recovery\28c9q585-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 28c9q585. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6F933B7F897989EF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6F933B7F897989EF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: j4baV14Lm2er4kExPK8gJ2cCAZAdaaEgvZ4lE8gtxwCqFlzxGMixcRaylOierjY/ HYFQKu4+taShMbH95nWOwZoLUtDzOnBA0H1JpeUpYIt3lKELPo77KEjw3Vig2ux6 EkrUCBFXN5HC2Ks7kbhDaESZk1JmT65s4Vd4ik5Vyv9YGrPtDUUNhLOH8r1FO/Gy wcXyJBd7I7ji4YTMam+LMwFWPP1/7INH2risFXPXa6PlgTImz0vR1ZOVR8Lb/eaz 8Ac8IImsUspEFufsVA4cDYR3LmQ7wRBPUYkUUJlIURGX2um7ilxke8Ihc3SRIEUT uM6/XERhutPGCui+SdD72E9I2cG/0w215PXoXakSdoqN6XLTiiiGvxi7DgTTfWQp GR6GgR81s7wWPcAAN6Ye4E79fjkq3izkCU70WiJgInYlz38Oq2LL+uuqXuZmxzKU GXfBHecxvnIiW4PIwZG6JYSl7YfbJ38/eU8mgEezHhx5oay4MNE17T+vLLZbz17w 3qPjdsG0yXob88zu3YYYhz/904/vJfgYyEGi+T3TrT5eX9MrlWeS19VPopY7NOWS lZFIefeK34o+LPnAj/055f6O3KwVYlxAU9u7DbKF40UDmhBztBCzkARszzEFE/3U MMiPvezwH0Un3jPRadX0EnvOiVeTSq+koaXx1BqMszB4WN9vn+f+MccGIG55RLv/ WdILCXBI2x4xTlkJJIyJql207Htb1IRK65PDcpznARejlKuMpTNCO4pr8frjHKdc 5VDfTizo3Qq7ylsSdbnzRHKhiKrJ+8oH1w3b/zoboTdHfItaFjJHx1Q7+MIxRJE0 qfN7161wyCvt0qlqSGiCJGtfiI8Et6JRyb82EkfY+pTwMg/jV3WS1ld8/HFN8gjk tY9LEnMSJPyH3EAnAP8QtG7ZBeLqIMqOm+XQWfalcUvHMRSy6YpHVtLO7r0UXFyx vH2Xj2V5R+hs874POn8Xy0uZKD4rK6hKLGmhAhiVQHwQ4lhoBkBcS9Fkisgg/xrm aVKqHugkRCO1Ya8BEg8Emq7YJ/SuAliz56lYvFl2HnpF8wTZPi/wmnSog/zEPlDK gVgArIYNd1QEV5dC3rRdxUB8ggkqTkgUmGd3WM6xENuXz3EpsaJoFSyu398+vfcB /wTzhEJCHc3wUKrecQhap0O/X5LxPM+gtNsaPzxfg10hHwQnXF+f6Yvwa2VwSRdq TxIEvLtjg1KAcnDKcdghQV6Ae8lFNw== Extension name: 28c9q585 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6F933B7F897989EF

http://decryptor.top/6F933B7F897989EF

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	ioc	process
File opened (read-only)	\??\P:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\H:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\J:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\K:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\M:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\D:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\B:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\N:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\S:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\T:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\U:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\V:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\Y:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\Z:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\A:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\E:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\G:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\O:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\F:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\W:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\X:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\I:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\L:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\Q:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\R:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z1j0.bmp"	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

Drops file in Program Files directory 27 IoCs

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	ioc	process
File opened for modification	\??\c:\program files\WatchFind.midi	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ConvertToSuspend.wpl	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ExpandUpdate.vstm	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\FormatConvertFrom.rmi	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ImportRemove.emz	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\MeasureRestart.ps1xml	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File created	\??\c:\program files\28c9q585-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\WatchRestore.xlt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\AssertJoin.odt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\DebugProtect.xml	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\LockRevoke.mp4v	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ResetEnter.midi	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ResetSave.scf	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\SkipResolve.mov	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\SaveClose.ods	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\WaitExit.potx	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\DenyLimit.m4v	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ImportConnect.xml	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File created	\??\c:\program files (x86)\28c9q585-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\PingConvertTo.wmv	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\PushUnblock.ppt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\UnprotectBackup.gif	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ConnectGrant.mp4v	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ConvertFromNew.vssx	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ConvertToRename.mid	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ShowPublish.mpv2	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\SwitchClose.jpe	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4316 notepad.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

892 vlc.exe

pid	process
4316	notepad.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exepowershell.exechrome.exe

pid	process
4828	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
4828	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
3656	powershell.exe
3656	powershell.exe
300	chrome.exe
300	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

892 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

300 chrome.exe
300 chrome.exe
300 chrome.exe
300 chrome.exe
300 chrome.exe

pid	process
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

powershell.exevssvc.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeBackupPrivilege	4236	vssvc.exe
Token: SeRestorePrivilege	4236	vssvc.exe
Token: SeAuditPrivilege	4236	vssvc.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe
Token: SeShutdownPrivilege	300	chrome.exe
Token: SeCreatePagefilePrivilege	300	chrome.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

vlc.exefirefox.exechrome.exe

pid	process
892	vlc.exe
892	vlc.exe
892	vlc.exe
892	vlc.exe
3048	firefox.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

vlc.exefirefox.exechrome.exe

pid	process
892	vlc.exe
892	vlc.exe
892	vlc.exe
3048	firefox.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe
300	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vlc.exefirefox.exe

pid process

892 vlc.exe
3048 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exefirefox.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4828 wrote to memory of 3656	4828	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe	powershell.exe
PID 4828 wrote to memory of 3656	4828	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe	powershell.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3832 wrote to memory of 3048	3832	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3968	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3968	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3048 wrote to memory of 3104	3048	firefox.exe	firefox.exe
PID 3220 wrote to memory of 1216	3220	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
"C:\Users\Admin\AppData\Local\Temp\d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\TestWatch.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:4316

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SaveRedo.MOD"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\28c9q585-readme.txt
1⤵
PID:4196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.0.832573049\123794648" -parentBuildID 20221007134813 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e09846a-9cf3-4c09-9163-7ab18cfe481c} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 2016 23d31fdce58 gpu
3⤵
PID:3968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.1.610798444\1934108629" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a489c182-b1e4-4542-8f95-ca80f802d0ac} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 2412 23d25572258 socket
3⤵
PID:3104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:1216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.0.1355365110\773462628" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20938 -prefMapSize 232727 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d460fe3c-743a-4b5f-818e-98161f9986d8} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 1776 26bbaaf5158 gpu
3⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff98afc9758,0x7ff98afc9768,0x7ff98afc9778
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:8
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:8
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:2
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:1
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:1
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4148 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:1
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:8
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:8
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5388 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:1
2⤵
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4336 --field-trial-handle=1988,i,14305561583855540700,7374738402223981893,131072 /prefetch:1
2⤵
PID:3112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\28c9q585-readme.txt
Filesize
6KB

MD5
de35bc8c020cb54ac5d5645dbc89080a

SHA1
9bfc76b3ac1f8b869d11a6656908d884061fc933

SHA256
044ccbd4fb68aee9f491c122feafbfc399c9b0c3a2453e43c425095248ade37d

SHA512
6f0c3bed517dba8282e3073a3fcabf69028d4dd0b5eb876c783ac1640776984b7ea347a600d0f1910a4bced615a2685bb045123713b51fcc17841234596e68e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
57ab7cca4854bcbc2e76f890b508968a

SHA1
271d040e11bf7901dc87316670a01ed0e7b90bad

SHA256
965246928a42b4be9bad9d77bb0c65cc95cf038b39d47af8edeec11f71100cb9

SHA512
5d146d48d44f75724bd956b6ac24d72481483896ed34f250e443032fc0508908c56c785fd4027f6a4f4e9892eef6b475110843d12f5fffb3fb2a1ef4ae4aa444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
984c2ff3a88368a5833141c608e47a3f

SHA1
8d124013f11741ae4c70e72570b3cf676aa1fd49

SHA256
70d85879e9c754a3948f6b604a08f8728bc324a3dfdd72b6487b556dc102b442

SHA512
ec1a2e00a858a38a03f0c550cf141b8a517cdbc9e3b4a4afcfcde3179d33b11e1334347e5690a4af47f746efcc5cb96a2c7a98955c8f8e3c80fd22a03791781b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a2bcfd5356622b53bf5d1df0889e962a

SHA1
0d921575b15036bc1a26ee331d7b64fc33bb8bfc

SHA256
64240f6b3943bcb042b273f4f5208dbd8166c4d9f48fa978514293d45c5397e3

SHA512
165b477b0c4bf4f8c9e4cf0cfc308921160e8bef2701292c8c4cc81ced36786ab7ff87624b71e380af756aa5e246f6f4395cfe5ab25a09e256556ce8549f8bd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
90KB

MD5
956dae694395ad5ce6000ba1c6bf140f

SHA1
0ec044cad8779507f86d57deed842c5558ad64ff

SHA256
1fea35e0335ba6b55e5966958afbd33fb402a9abb528d0313252437601189161

SHA512
7f97f5c8e521ba13f9f105dbd0746b2052c9a592128f920a9d5cfb780e62ac257eeb905b99cb77c977aceb9899518f072aaada2e88cd22f1a085e3124de71910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
89KB

MD5
5ca2e004c71668df6141e84884475d2c

SHA1
b1ce7f0aee28853d7c60e7a55d401f9f9e807580

SHA256
3580aa1f79e62cfb636e9dbf6868aa7bd699f70577d9ca021665b380240e5190

SHA512
10c4a76199acacdb5de4642e30f25eeb4ae29c471971e7378d6f4e160e3250f6f79813078bb49372493d79e6c592b8f9b4648ec39872076e8b246931cdf9c7ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
90KB

MD5
9d90e603e99d75fcf1c14a1b7687ae4f

SHA1
7decfb4ec0b87af3bee776449de836b10f225ae9

SHA256
430f7668c2f8da208389eaabe29779c9153187c5fd0edb01d4900451c262481a

SHA512
4f92553c5d85f1f452f654303da3fb8bc2a634e806dd84e2b92c70b21ae5502cee5d398339f40642f8deb35d5ceb1cbc38c46554f537c92ff40f19f43d884c3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tajwguhh.uox.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs.js
Filesize
6KB

MD5
b82e9a9ff52c5519e4c66ec85c84c700

SHA1
58b61b348119cf18c8c880c12e0b70e5a7e2593a

SHA256
ae88cc1422a43132978ffb30c31707531abee8440ee352ac00243598ae67fbed

SHA512
c98a230626694bbcd7289791ca06a2539459a853d4f266685023208f1ac593c9568a6f6ed9981fa9626214c1677359f3c2e362b47769d1a673a062cc2dd2827a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionCheckpoints.json
Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Public\Desktop\28c9q585-readme.txt
Filesize
6KB

MD5
de35bc8c020cb54ac5d5645dbc89080a

SHA1
9bfc76b3ac1f8b869d11a6656908d884061fc933

SHA256
044ccbd4fb68aee9f491c122feafbfc399c9b0c3a2453e43c425095248ade37d

SHA512
6f0c3bed517dba8282e3073a3fcabf69028d4dd0b5eb876c783ac1640776984b7ea347a600d0f1910a4bced615a2685bb045123713b51fcc17841234596e68e2

Download Submit
\??\pipe\crashpad_300_IZAGIEJJKDFFNDJB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/892-562-0x00007FF97AB00000-0x00007FF97ADB4000-memory.dmp

Filesize
2.7MB

Download
memory/892-563-0x00007FF979850000-0x00007FF97A8FB000-memory.dmp

Filesize
16.7MB

Download
memory/892-564-0x00007FF978CC0000-0x00007FF978DD2000-memory.dmp

Filesize
1.1MB

Download
memory/892-561-0x00007FF981820000-0x00007FF981854000-memory.dmp

Filesize
208KB

Download
memory/892-560-0x00007FF675230000-0x00007FF675328000-memory.dmp

Filesize
992KB

Download
memory/3656-148-0x00007FF97B800000-0x00007FF97C2C1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-142-0x00000275ED800000-0x00000275ED822000-memory.dmp

Filesize
136KB

Download
memory/3656-145-0x00000275EB540000-0x00000275EB550000-memory.dmp

Filesize
64KB

Download
memory/3656-143-0x00007FF97B800000-0x00007FF97C2C1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-144-0x00000275EB540000-0x00000275EB550000-memory.dmp

Filesize
64KB

Download