lockbit | 14b9941d53f382c49d9ab75b8ec086210c17b19ffac0d071f462c4bfa8b5157a

Analysis

max time kernel
63s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PackedEncryptor.exe
Size

485KB
MD5

0f30d0d58dcc450cb0b05f1f84916cbb
SHA1

16033c2fe6c2149b8a23f5d7e01d30cdc73687b1
SHA256

14b9941d53f382c49d9ab75b8ec086210c17b19ffac0d071f462c4bfa8b5157a
SHA512

b101e4cd57fbe9e5b1636a9bac0b70f8cd3d4151b40b0c464dc9616fd192efee7e11458ce92d847b1e9879cb6f2eec17838f8d4b437a832c24cc504628d43ea3
SSDEEP

12288:syveQB/fTHIGaPkKEYzURNAgbAggkFLz8qd2:suDXTIGaPhEYzUzAktFX8x

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\RlWCfyLxZ.README.txt

Ransom Note

======================================== !!! ATTENTION !!! Your Files Have Been Encrypted by ManiaCrypt ======================================== What Happened? -------------- All of your important files, documents, photos, and databases have been encrypted using RSA. Without our decryption program, your files cannot be restored. Why Trust Us: -------------------- If we dont give you the decryption program after payment, nobody will trust us. What You Need to Do: -------------------- To get the decryption program, you must contact us. Steps to Restore Your Files: ---------------------------- 1. Open Discord and add the username ballets4. 2. Send us a message and mention your situation. 3. We will provide further instructions for obtaining the decryption program. Important Information: ----------------------- - DO NOT attempt to recover your files using third-party tools. They may damage your data and make recovery impossible. - DO NOT rename, move, or modify the encrypted files. This will also make decryption impossible. - Only we have the tools required to decrypt your files safely and effectively. We are waiting for your message. Time is critical. ======================================== Your Files. Your Responsibility. ========================================

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023ca1-4.dat	family_lockbit

Renames multiple (607) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	PackedEncryptor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	EFC0.tmp

Executes dropped EXE 2 IoCs

pid	Process
1576	Encryptor.exe
5600	EFC0.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini	Encryptor.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini	Encryptor.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPm7k_1lxb0zmwxcoam7j6xuowc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP460ntdj3ien4v_im72d5rff2d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPpy3yd98lb_mxluakvmyn00tpd.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\RlWCfyLxZ.bmp"	Encryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\RlWCfyLxZ.bmp"	Encryptor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5600	EFC0.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Encryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EFC0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop	Encryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\WallpaperStyle = "10"	Encryptor.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4288	NOTEPAD.EXE
4732	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5408	ONENOTE.EXE
5408	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe
1576	Encryptor.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeDebugPrivilege	1576	Encryptor.exe
Token: 36	1576	Encryptor.exe
Token: SeImpersonatePrivilege	1576	Encryptor.exe
Token: SeIncBasePriorityPrivilege	1576	Encryptor.exe
Token: SeIncreaseQuotaPrivilege	1576	Encryptor.exe
Token: 33	1576	Encryptor.exe
Token: SeManageVolumePrivilege	1576	Encryptor.exe
Token: SeProfSingleProcessPrivilege	1576	Encryptor.exe
Token: SeRestorePrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSystemProfilePrivilege	1576	Encryptor.exe
Token: SeTakeOwnershipPrivilege	1576	Encryptor.exe
Token: SeShutdownPrivilege	1576	Encryptor.exe
Token: SeDebugPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeBackupPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe
Token: SeSecurityPrivilege	1576	Encryptor.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE
5408	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1576	1120	PackedEncryptor.exe	83
PID 1120 wrote to memory of 1576	1120	PackedEncryptor.exe	83
PID 1120 wrote to memory of 1576	1120	PackedEncryptor.exe	83
PID 1576 wrote to memory of 1664	1576	Encryptor.exe	94
PID 1576 wrote to memory of 1664	1576	Encryptor.exe	94
PID 5316 wrote to memory of 5408	5316	printfilterpipelinesvc.exe	103
PID 5316 wrote to memory of 5408	5316	printfilterpipelinesvc.exe	103
PID 1576 wrote to memory of 5600	1576	Encryptor.exe	105
PID 1576 wrote to memory of 5600	1576	Encryptor.exe	105
PID 1576 wrote to memory of 5600	1576	Encryptor.exe	105
PID 1576 wrote to memory of 5600	1576	Encryptor.exe	105
PID 5600 wrote to memory of 5784	5600	EFC0.tmp	106
PID 5600 wrote to memory of 5784	5600	EFC0.tmp	106
PID 5600 wrote to memory of 5784	5600	EFC0.tmp	106
PID 244 wrote to memory of 796	244	chrome.exe	112
PID 244 wrote to memory of 796	244	chrome.exe	112
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 2500	244	chrome.exe	113
PID 244 wrote to memory of 4716	244	chrome.exe	114
PID 244 wrote to memory of 4716	244	chrome.exe	114
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115
PID 244 wrote to memory of 4308	244	chrome.exe	115

C:\Users\Admin\AppData\Local\Temp\PackedEncryptor.exe
"C:\Users\Admin\AppData\Local\Temp\PackedEncryptor.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Encryptor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Encryptor.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    - Drops file in System32 directory
    PID:1664
- - C:\ProgramData\EFC0.tmp
    "C:\ProgramData\EFC0.tmp"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5600
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EFC0.tmp >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:5784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RlWCfyLxZ.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4288

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5316
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{29DE4779-C148-47DC-8544-EE927B8E5209}.xps" 133823761229210000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5408

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RlWCfyLxZ.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeec57cc40,0x7ffeec57cc4c,0x7ffeec57cc58
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,16591336595163466639,8220123498280214395,262144 --variations-seed-version --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,16591336595163466639,8220123498280214395,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,16591336595163466639,8220123498280214395,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,16591336595163466639,8220123498280214395,262144 --variations-seed-version --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,16591336595163466639,8220123498280214395,262144 --variations-seed-version --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,16591336595163466639,8220123498280214395,262144 --variations-seed-version --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3196,i,16591336595163466639,8220123498280214395,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:5804

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\AAAAAAAAAAA

Filesize
129B

MD5
80e5292514e98f0f9156e41f889d9b58

SHA1
af0d32eb230415db0eee47c4b9e0325e883f614b

SHA256
e091b25d7ccd292c5e4f4829151721a8790751ac0a042c1c1327d9b45e7c356e

SHA512
04bb0da5a643ff881664231f7c2905fc6b1750549e89fab7bc4e0d985e828d660ae27ca39ca1d98d102755ab1554e383140ad25a0a2f88ec785bce7fd548b856

Download Submit
C:\ProgramData\EFC0.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\RlWCfyLxZ.README.txt

Filesize
1KB

MD5
c283c63ae856a725b5e4f127156e4cf6

SHA1
d8d9b6f436f2495f52eb248f05998835fc71738d

SHA256
9bcbb2fc5d4124bce953bda76499c9a1ddf81a7befb06dd1c0294bedd3c9ba4b

SHA512
3a07269c7de4a3ce862aa8f15014bab2f39497c1be0359fd34b2ecb4f417dd9cdcb43c249d7f80563d2facedaece9741310f5e8cd452e15c508e02098be9d0e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4388f72a698a00c73e2ce0f0b8850ff1

SHA1
5b58385ddccb3ac3bc0bf32049f1609b1bd2d291

SHA256
392ee14af99dee1b881d470371f36579cccec71ddc69cd837dd4b173888f37ad

SHA512
7e25c40a27d839077820ed2aab638014fc55a64eb43ef6fd9d5fca8a60f7b7f888451775f89613c3748a3020fa04856a528e25ca157b14d010afa188fc8ca13e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
80c5e14152ec25e0e927a1be632dc350

SHA1
07189169f0475eb26fbec121e94f83effde88b23

SHA256
c5ee93b86f2ba01a01d7341bdc10e066414838cc6d0e421324578eee87207b07

SHA512
36ce2e24480f70b59187c3a9c62b9e0f87171956404860bc59ad78944ac779eaf7267c375c1c9aacda0123754b846d19cc2567f358ae7b5d33909873766297b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
dc347c5bf443a6716ed9eecceb5fa5eb

SHA1
c99e50abf60592d31cd1bb7004cbc0119a9448c5

SHA256
bdedaa0eb5930dce289354ebf1f4c66012d1fd9945c3dff6a5ff131a89f476c7

SHA512
6775ee47ec1e9ac59be14330e2e2cc30862fd804c4c5b46f3c27fe1ffc1ea742de4c67901367e7f59dca5cdedbec2dec3bf361472296d7f6b439a7ce46305b03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
82c6ba65fe129c5547046efcc3399a7c

SHA1
a632bab34b7d7c239e90e76505fa9d7b489c3c42

SHA256
355608d6cd1416aadc441f959752319424b2ffd575e234982e41a441d5d804f7

SHA512
01c29c45999dc0f1723b5df930dfb04dc0545130a141fae363b60d9c32870f6a9c12e21f0532f316022bded01f245e6e1f2efda7f231520bb1e962f1480d72ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
13e8293cd184850f9cd0f658074a6cfb

SHA1
3a8a760b1c48c4273f3a903d760f62ceede542cc

SHA256
54067e3793cb72bf318208fc0d1d37649563e012a99bf81044d932de58e4d841

SHA512
91eddacbbacfe56f9d72cc1a8e385099c1475ebf195b94858cdcb5e0c0f410d6c4d760104bd36e9f9d6660f1da19352f1857ef5cbab7b79d9060cdc2cf1dd6ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
3KB

MD5
aa58efa88c12b464f9fa9994e6272de3

SHA1
7da702945fcc81578d1e2e2117e8f7d92917fa4e

SHA256
8bb29e7609f579ae004d9dc9d2b90505d8b936fed0feb39c8b99521530fb6e6a

SHA512
5338cac8782b89296beb2c39e31adf894806d5528d2e0edd88b75372c73b5dc5d374544599f100426872ff439fe278db585100110b14061f4dbec21c21f891fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe588a59.TMP

Filesize
1KB

MD5
cdfadb93f4608b77941fd3cb28640551

SHA1
b4fd0fd911ed9b12cb9a4e4e2208eff55b3058c3

SHA256
6c162d9595d0660cef963ab06fae93633e8ed75ee71338d89b3a0a612000d60f

SHA512
dbbfb6cc7241938fb2a32a7d022b2729eac486e71891dbc029b2135fcc025e02c5afec65d8e95fc23ffdc43da0ff0e8b988ff96978c24867b20e8ef1ffc62897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DDDDDDDDDDDDD

Filesize
147KB

MD5
32c2f4baef5d30b2e03d39d1ba2535d7

SHA1
64c80f3f7203722b6e9a40e372494bc5652058e2

SHA256
b6e83c1723bf2e51df0b4a06b149f384bc4463936abbbe463683e87812ccecef

SHA512
35efcca358f65aa964060c483271ea52fbbbd76b6b0e9928822e0b3be36a3d9bd3b6284edc0633a374ad598edef0230595a8a15af25b249d55b62a8c6efeaff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Encryptor.exe

Filesize
147KB

MD5
5e0b0af4c133567f05fe4efd9b6936e5

SHA1
5469f3b48217924741c024cd2f8fb8f808502654

SHA256
bd66fb04d8359196cb918f81f48a662830928dfd3218dfe0cc2418e21615f5a5

SHA512
9ccb59ee9688deef4fef9d329337299e126f40cc904acdea288e7b96d72a9c9546b8da2a175aeeefe7547e6167898de5df97f8a123b9189da94d86e4ffb421fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{95CEB9F7-EEDF-4D2F-94A1-7078FA6CE63C}

Filesize
4KB

MD5
8bb9ad1c2d057c9b46aa161276ffd884

SHA1
f9ba3099eb212c52d177dbaae4317925db2f4530

SHA256
a119b4c505dabfcb4391882a674c182902a2c1ac439ba80514c2ed7e08c19dec

SHA512
afdf29c52d0b3d538bc2c410da6123a985f906641066251018ae845c4fb6520d48fa8de8a3f29baaf3cacab9a946e7cfc738b26cc8c08e71f524209d45b2c2ab

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
f598c4c9b9d6bec247b4ae32fab0dc91

SHA1
d73ad83bd3f99a310292fa49e19d9d9d18140a37

SHA256
8cd7186354237679467a9e8afb36fad132277bd481278147fbd49ccb4a3985a5

SHA512
0a8d7447c79d89367da1324f0db693e6f9a5ebdbdc6229d950132bd2d3e5c86c126825346dde7cb929fc941332e2faf4acfd822f14ed1152cff07ea4bcbbf2a9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\DDDDDDDDDDD

Filesize
129B

MD5
1eb35474f485237becb1b6f4acec06de

SHA1
dff4f03df5d9880e5dca510ebf2628cdb1d41364

SHA256
6b843ff8c6f7a295244e8259ee25d3d80b4c71634fe3dc87d528a0d138de48d9

SHA512
0adb34692a9b04bec5c5c926c9dcca49c2c5f382d666b65478da72ffec20272a56ad1bd5f14c4e72e840aa89ae6c57b8e285bc739a56d8c7450a4a2695a770e9

Download Submit
memory/1576-2959-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/1576-9-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/1576-11-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/1576-10-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/1576-2957-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/1576-2958-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/5408-3037-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

Filesize
64KB

Download
memory/5408-2971-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

Filesize
64KB

Download
memory/5408-2972-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

Filesize
64KB

Download
memory/5408-2970-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

Filesize
64KB

Download
memory/5408-2974-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

Filesize
64KB

Download
memory/5408-2975-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

Filesize
64KB

Download
memory/5408-2976-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp

Filesize
64KB

Download
memory/5408-3038-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

Filesize
64KB

Download
memory/5408-3039-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

Filesize
64KB

Download
memory/5408-2981-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp

Filesize
64KB

Download
memory/5408-3036-0x00007FFECC4B0000-0x00007FFECC4C0000-memory.dmp

Filesize
64KB

Download