dbf9cc65461c7bc650938156d3751d4ae0ce4312d3899f747e590767c0ef0408

max time kernel
141s
max time network
145s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
03/09/2023, 10:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

92.exe
Size

1.3MB
MD5

7defc0b43aa2ad389575df2419b7909b
SHA1

cf0dd52331ce203c723f7be32bd91d7cfb34a988
SHA256

dbf9cc65461c7bc650938156d3751d4ae0ce4312d3899f747e590767c0ef0408
SHA512

9291bc529ce05bc4d0f0e464e008023ca8d310beeca0cbf47b21239423607f5944ed446d9e99537c49cf637a1aed3b55a96277f327bc4d8eb8908b400d8c2573
SSDEEP

12288:0BVVtkNBJOlMmXP0447OdMyogfJ7gwPueClVVRWM5YDh8xpoPzouMA+nkGGCp+ME:tTcCG0447AMVgfdnTClVm4QzcGRGS

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\How To Restore Your Files.txt

Ransom Note

All your documents, company files, images, etc (and there are a lot of company data) have been encrypted and the extension has been changed to .knight_l . The recovery is only possible with our help. US $14508 in Bitcoin is the price for restoring all of your data. This is the average monthly wage for 1 employee in your company. So don't even think about negotiating. That would only be a waste of time and you will be ignored. Send the Bitcoin to this wallet:1HRgvL5tQreF55wzLNP9g7NV2MoRuugoDE (This is your only payment address, please don't pay BTC to other than this or you won't be able to get it decrypted!) After completing the Bitcoin transaction, send an email at: http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/f6e2d5b5-775a-4cca-a4d2-44d6891c3e42/ (Download and install TOR Browser (https://www.torproject.org/).[If you don't know how to use it, do a Google search!]).You will get an answer as soon as possible. I expect a message from you with the transfer of BTC Confirmation (TXID). So we can move forward to decrypt all your data. TXID is very important because it will help us identify your payment and connect it to your encrypted data.Do not use that I am here to waste mine or your time. How to buy the BTC? https://www.binance.com/en/how-to-buy/bitcoin https://www.coinbase.com/how-to-buy/bitcoin Note: Your data are uploaded to our servers before being encrypted, Everything related to your business (customer data, POS Data, documents related to your orders and delivery, and others). If you do not contact us and do not confirm the payment within 4 days, we will move forward and will announce the sales of the extracted data. ID:9891e7495175001c89b208f25ee852a9bd3722600da54f258c7f53ecb5de2950

URLs

http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/f6e2d5b5-775a-4cca-a4d2-44d6891c3e42/

https://www.binance.com/en/how-to-buy/bitcoin

Signatures

Renames multiple (167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 15 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	explorer.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 3376	1940	92.exe	70

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133382112102012071"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	92.exe
1940	92.exe
1276	chrome.exe
1276	chrome.exe
3376	cmd.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1940	92.exe
3376	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3376	1940	92.exe	70
PID 1940 wrote to memory of 3376	1940	92.exe	70
PID 1940 wrote to memory of 3376	1940	92.exe	70
PID 1276 wrote to memory of 496	1276	chrome.exe	74
PID 1276 wrote to memory of 496	1276	chrome.exe	74
PID 1940 wrote to memory of 3376	1940	92.exe	70
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 2000	1276	chrome.exe	78
PID 1276 wrote to memory of 3088	1276	chrome.exe	76
PID 1276 wrote to memory of 3088	1276	chrome.exe	76
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77
PID 1276 wrote to memory of 192	1276	chrome.exe	77

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\92.exe
"C:\Users\Admin\AppData\Local\Temp\92.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3376
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:3488
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7C1EF450-5B23-473E-81B4-15CB382FC399}'" delete
      4⤵
      PID:2344
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7C1EF450-5B23-473E-81B4-15CB382FC399}'" delete
        5⤵
        
        PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe4b569758,0x7ffe4b569768,0x7ffe4b569778
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:8
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:8
  2⤵
  PID:192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:2
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4456 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4576 --field-trial-handle=1836,i,4381003367772787579,1263922067753169503,131072 /prefetch:2
  2⤵
  PID:4580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3012

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\How To Restore Your Files.txt
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\How To Restore Your Files.txt

Filesize
1KB

MD5
59e399169558bdc6a2e9acd60d36797e

SHA1
91da478efd71df3a805afda3968c60504ade76a5

SHA256
af0f1c61484dd4854492242bd53d3e612fba977beaddc91fdd77808db83fbf70

SHA512
99534b9a285b6b2b008ca057ae51532bda44b691e6ee9738df5fa26af517d2818ac3aa030c2d45b13b8c2d7aa1febdcd11b1e08fa36b0cfdc91e1a97e12c76f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
38c603e266ba61b3e58041f52fa93dac

SHA1
61c5bb15ee18a669028ca65243e12a04d77a9980

SHA256
f248da45d026177c771db35d2446289a3445f6c421aa328251835d08b312f9f6

SHA512
6a56f38d8674094e757ca76007aa1496b748df5850473c2d06b4e02f02763d8213f5211dbe1d05079cee2003d2b3fed37c6091dc38593f35d20e68027b3c1f92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1382fad326c7d35ed3daca0adbff6c53

SHA1
312f44819f36fd3942d59e37d7e448249002ca55

SHA256
bc0a8d1e5d6a1abebb609475d1d3cbe8b62c5c25db8582079c9e956536c78134

SHA512
f7ea8f2b51804e1ddf0a36445f3455a07ad01f38d2706574b6a4ab460059535500ddd1d6aba01524ff9521195bcc61432ef8c3f1e47ae2492b1f9f685bde95a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5e9813e743fd8aa63c1fc6f21069b02e

SHA1
1ba6830af5713fb201a97fb3de2add48bb08d577

SHA256
27e37aa1bb22337003b4568a912ac8b21dfc85e655e13241fb6a8d27729c7ae2

SHA512
7158278436083498c8b946001ab495ee2fcd188e433ca0d978c2ac71e82e49c224fc4fa082d71f258515cec7a9758777d986ab8db04d83ecc7467aa2af6f4d55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
087f4165540afd8d9ce80c76dff18032

SHA1
7fa718a8fef953842b3236099ca2277fd65582ac

SHA256
5b456374695f2a8a322b9ff98f2e8f1891d84055453e216b411461be985ce7d8

SHA512
27690a6b7c17e1cb5422db803efc7ec7c25d4234ff859f42e25fcd8401e4f1de66f8b1b8f59cc78e7da70e1d33a0caf075553fe5fd8df89dde449ed11b99f31a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1f0f72e1fa07219e27c071609f5bd30e

SHA1
9fb159e7d01fa976fd8919369c74ff744109dabd

SHA256
a92f555d890de086a2acbb018b16beaf1d19d8d6006c278a29e20b830ee78c91

SHA512
f2aee58cfb54900fa0745655a0e3a4a11d57da9a15bc167cff09f5beeb0eca5bf8992e38d9be3bfe546e1689a6797e0ff66f778c137e33b2bf03c340efbf847c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
04c0039f5b44d33823f0573c6b62f4d5

SHA1
67c1f2acb9b31a0b9eb83b3032e9af65025bd696

SHA256
fda9c7d439737bde6455828d6d12493a4f480d4c5db6bc496ac2ab845d885e40

SHA512
1419fbf4ef466b961546ad64135fb0357635732b0f1837457a83d8e96948cc55fd55c859c47145336c0e1e51a639b6af4aa630fc93d6c550549c25b4be422f5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
190KB

MD5
d2b8c79738d3b501c3d4953616d01e03

SHA1
af7b3849fa596e92c13d7be29569f1cce4a46095

SHA256
3efcfda2f5cbf639d62e1ce1fa7ddf8a7c43de4adc709af89f606abd77a1a68a

SHA512
344b033c7b159f9d8d0d22672e92f14c95ac01dd3996511586451ce6bf5771a7fc3335a2b51c0c2d7930a2c81b494ef56a65441cdbe5af371ff9041ca80e4d1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\568da3b9

Filesize
759KB

MD5
2aa48230e89a9fba66cf5392677800a7

SHA1
4839d5ef9f87b78079d0190f1e96ea30a9278419

SHA256
c37d5f6322bc6ef010485af481432e6a1d079ef90609978b1feb5128744bbb17

SHA512
51291b8881eac4ee7b87e32fe36c33c64485ec74d03d4d33eac6fe76b2b831a60a70e6a6e4b34c6fd2a10180e180eadda8bb114172b32d264d9315a5f3b7e8e7

Download Submit
C:\Users\How To Restore Your Files.txt

Filesize
1KB

MD5
59e399169558bdc6a2e9acd60d36797e

SHA1
91da478efd71df3a805afda3968c60504ade76a5

SHA256
af0f1c61484dd4854492242bd53d3e612fba977beaddc91fdd77808db83fbf70

SHA512
99534b9a285b6b2b008ca057ae51532bda44b691e6ee9738df5fa26af517d2818ac3aa030c2d45b13b8c2d7aa1febdcd11b1e08fa36b0cfdc91e1a97e12c76f0

Download Submit
memory/1940-3-0x00007FFE3B410000-0x00007FFE3CABE000-memory.dmp

Filesize
22.7MB

Download
memory/3376-54-0x0000000072670000-0x00000000739F3000-memory.dmp

Filesize
19.5MB

Download
memory/3376-58-0x0000000072670000-0x00000000739F3000-memory.dmp

Filesize
19.5MB

Download
memory/3376-53-0x0000000072670000-0x00000000739F3000-memory.dmp

Filesize
19.5MB

Download
memory/3376-32-0x00007FFE57EE0000-0x00007FFE580BB000-memory.dmp

Filesize
1.9MB

Download