c7d0fa4e911df7241f9385a109ad4814d10fb640bb8151e7d1abeec1065bcacd

Resubmissions

14/03/2025, 12:46

250314-pz49aatrv9 10

14/03/2025, 12:43

250314-pydpya1vbs 10

14/03/2025, 12:42

250314-pxnths1tf1 10

14/03/2025, 07:46

250314-jmdmxawvhv 10

Analysis

max time kernel
138s
max time network
129s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
14/03/2025, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
Size

92KB
MD5

b66ef055f69d2d1a1d8a6f7128cc34a4
SHA1

b0bdbebb93abe1c437d9b8f243368ca0de74603a
SHA256

c7d0fa4e911df7241f9385a109ad4814d10fb640bb8151e7d1abeec1065bcacd
SHA512

c052dd76b90cad8b5d40409d00ef41d3e75439edab7e6cb79d60ec98bd17af172e4e56fa031bf1cd5256d7baa0f6ea13648044da641df90e992f36432fe0d64a
SSDEEP

1536:Y73nkB0DyMgQSm9NwcKzwpR+7JICS4ABwZ/gsZujGC:c/hKzstg5gs2

Score

10^/10

credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\r6cx9989a6-readme.txt

Ransom Note

---=== Welcome. Again. ===--- [-] Whats Happen? [-] All your data were stolen. Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension r6cx9989a6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [-] What guarantees? [-] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9CC7C529A4ECA4B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 2xNpHhGq14JosXFi09dkLt483qYvfOQFgCRszKIdsihrq5Jz108HOaxagvWluT4O /S4SOeXoTcrwHLwG5MIF4c3pWay0jN9gVvfm1MDgg2u2mIqjG+/XXiVdz8FOzTYZ gaTLRxPeJlC8XxyJQT77qqvKoeOBrLv1u9gavk983lffbYgoWaHmZpLwJnfXO6gX oM/8jKjUc4ZOsB3TFW0TJix3NjxL+Wkl5nFkhyyooUssJ/qfn5F05viuhGyKBOe2 bYbKFo8Egj5NrkJt54SWDE8FT2HHZ2gQOL4nSEtqZ6trVzEB9aBKe8IMOgITG9Zu Fb0FNl47VduLzcwVmr/ykrANW/jDlaGaJmx8OOcQWhUqy/fPwGuFNjJZinow07I3 iO/xP3E9EsfCXmghgpa4kHWR8PieVd/4qs27f735iE43vfdI68TM/fO58GIZFLvc 5j+Q01ni/qaQxs/EJjelP4JEoDlkAtDqqbNeaXLEThKekEeKuJnuFdPTc29HxrI3 lt0N4j3GhTUqS1n4h11q2sEdZpNKQpDroXD3411YI8eaTDvmcY8cHeihrgCJmVJz FR0RpSVPQGG7cBP4rchOGHJe/SltxKh9i2CvJJsEdO2Qe/SGY7JyS/TXbmWq98SW EPagrn16t0M3UHbVf7EEwM9tHvI12ZIU4xPKzyU3W4ebzSTFuHrWvp0otnX4DReC niQ3P/OolaLasrmA3F1WnBWwsCQdwaCOgCLNb7LORu1GzfQsk7fxcuZnQTD70dJe c8/emPTGQ4RvjKYTZFiUhGu4GmnG+GZwQ6SZ4gqgyzNlX/AcjZ2opryN8jvOS6fo pPre8VMjx4GsXq0U8dJF85sU6wC0rEtVrfjfCMQF0Q6HRl8Lq8GlXGih4w5EoDFz ZF0ED+fm3EN4aXBhbv7w8Epdy/HW2maAf3zKE8deJsaUGS/d5pl1hgJXHVlHr+R6 8u3hnJhAJwH4uFd8Ius5YH8Upe6C0kx7oZxkdKUcUq0Dohjg+hLRV2W5Hl6VpFUx el20vhr4DEQpMZhFPxKw4a1lZKcW4JPlRDPkld4GlGrX3PWclEVwJWaOMFXy66t0 jDdgs5LjPmdabzTio15cnRV6ovY1GQaCG09PXUUhKKeGxrUZX2VRlMKqXfjEIGDY 1gncIokG8qs06Lfa7XTfeczFKkW1iU4WNnITf9yZ2gZifnHO4Irn9w0NdB1LJ83V 1LmStiKH7Ht3bYGksruSPz97u0rzIFk53rCva/6MQ50GICMN/2ip7G9ihNMV/eLH AT4ytxqbU6eECO8ibShIzWtBDh1TPSjp3l2afOF6PD7WaFn68STsZOWhGIFC+E7b tEWXQhFU+FpHXl8wQbhcbvKAxB29FuEjs2IW6SSb77V9MTZA ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9CC7C529A4ECA4B

Signatures

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\J:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\T:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\V:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\X:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\Z:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\G:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\I:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\L:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\N:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\R:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\W:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\Y:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\A:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\E:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\M:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\P:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\Q:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\S:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\U:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\D:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\H:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\K:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\O:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened (read-only)	\??\F:	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\66bauo284mi70.bmp"	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	\??\c:\program files\r6cx9989a6-readme.txt	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\AssertSync.htm	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\CloseUpdate.pcx	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\RedoRequest.mp3	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\TraceFormat.mp4	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\ConvertEdit.jpeg	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\RemoveExpand.mp4v	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\ResolveMerge.midi	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\StopInvoke.eprtx	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\UnblockMount.mpe	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\UndoSearch.dib	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\DebugImport.ini	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File created	\??\c:\program files (x86)\r6cx9989a6-readme.txt	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\CloseDisconnect.odt	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\ConvertFromRemove.aif	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
File opened for modification	\??\c:\program files\GetSelect.M2V	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133864300957199908"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4788	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
4788	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
4788	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
4788	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
4788	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
4788	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
2408	chrome.exe
2408	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
Token: SeTakeOwnershipPrivilege	4788	2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
Token: SeBackupPrivilege	4376	vssvc.exe
Token: SeRestorePrivilege	4376	vssvc.exe
Token: SeAuditPrivilege	4376	vssvc.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: 33	4592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4592	AUDIODG.EXE
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 836	2408	chrome.exe	92
PID 2408 wrote to memory of 836	2408	chrome.exe	92
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 2156	2408	chrome.exe	93
PID 2408 wrote to memory of 4824	2408	chrome.exe	94
PID 2408 wrote to memory of 4824	2408	chrome.exe	94
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95
PID 2408 wrote to memory of 4712	2408	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-14_b66ef055f69d2d1a1d8a6f7128cc34a4_revil.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\r6cx9989a6-readme.txt
1⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8ad1cc40,0x7fff8ad1cc4c,0x7fff8ad1cc58
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2148 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3540,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4292,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3564,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5072,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4820,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3152,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5024,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3536,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4288,i,12157292907947632190,9442685364247837217,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000444 0x0000000000000494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6ebb874a98c8224690a048fa85ea55ae

SHA1
8be0edd4e36a29e82f24a03cc4a39fc6b0a86a69

SHA256
406335fa2c5776f2844674bee2d03f75852fb6e283f8c72c4b6e49f2e6cd1cc3

SHA512
78cfdea727d0b88b6c19fc6ba5a4ff6a95d8a6991778fc7888849b436e898b8ee996af9b74335c9c11d2d656a4de12d5fc528dfc12839961cc1439fef6bc16d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
215KB

MD5
d8899b1c0aa7c8e5836708fa76dfb119

SHA1
3ac6fbb49e7350221da7ee4d658efa239f2985eb

SHA256
106b6d9e8fab32613ec95b387848efc1a8b411ae4609237004009bd330e1a67f

SHA512
9f97e9187e145377992ecce519189fac8a3d13ee1c8fcef31b7aa1b2e5d1aacf0275fa031fddd40ab1bdfc855d549053f4dc43b65e6baf985924cad146d2bd2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
85b3fdc32157c47246a77bd9ba26fa51

SHA1
bff7138153e7726470b9d61a968839fdb7ebed61

SHA256
e6e6789429633bf8d5e5c474eecf39eaceb2c6a86b1740bf3a6c730b53389dd8

SHA512
b39560717507556fc560dffeeb87cefa67b93f8b4d402a6d8eb21bced33403ecdbff4c0bbd40030de64e8145ddc1e3c9eaae7c9eceb7dcfa929f1b7d73b6a876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
890922b7cd15b9f6d6d78c12ff97b03c

SHA1
bb7cb8b06200b1c2f0f54c7e592ed70ac20d2781

SHA256
0876d26f720d5d1a06015d33c22089bd212f9e0aec4aad4e003b430451d560f5

SHA512
9d07bc9b3d1bc105c492468fef726194808dcbe0f66d25fe9e886f1c0dbeeb9024a4b06a6600871d441599ff4f653f0d86cb1af10d97b9be7f18d8c57848a99b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
5fbe50b386dc61f9f6e9b79ece3c6e5f

SHA1
8d284afa832a5d9d5927f44cc1f69cc91fa75085

SHA256
372f09072d8508ccae33a191d8ef12d33a22aa9da8294d049515670cce43d108

SHA512
707b2dbd3bdd4e675353d2e3a4dea4ad858310fbaa359d14cc7e60d9cf87cb8e13acd9662bff250b9a42ca7deace0c7bae861f94db973ec593fdb8082c314597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c97c18088a0b89cc49f690780b7dc9e7

SHA1
0cb14cc73dbec7073ff17cb3a3b9688b5756a31a

SHA256
84d146717ea9f54ac76038d4f7070039fc737a40a1eb38ad674e5363420ac072

SHA512
d930cd12a9e4e81718851633a3dafb69155bb4cf03860135b89845b0e91bd443a72d227319088102dbc1855c66b59055a68cd1f44541e9e1973113206bc345cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
187B

MD5
3280f09cdedadca7d76c515274eb676a

SHA1
418bb5b7f53e7d0858489779fef5be65b3afe063

SHA256
71a06a3df0c09a612c71b2cda6d440a70a1f786eba454a707e51084974b6b913

SHA512
6cc6349a42236a169cfd1a18d555725333424d2df7a365e3662fc31e489c7903f04f2aed2a2d7b979d1dae05383709d256d482268f6090cb4b17eabf9940ca91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c1d26f6100ab9f5e054471a48912dc2

SHA1
32be2dd8b19bf5d4b783f160e441eb37a66f3091

SHA256
60dcf5727d7a19bc6b6f6171e65778d4844da59e937e84c55f0795e5af4e8200

SHA512
a98e7a6fff44fe5dff41881fb989db108e441d833fa3b88072d1a8b0782dcf8e98c768dbf820bf3bb4901a97f0cdc274d090b396ae4a7a7d0fece639ee97c301

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1b8118f9d4a6bf12b685b28dcdee2f8c

SHA1
919366f813793228560345a03936a1e99144b054

SHA256
119eb15d82588ac0b1114940f9f606fb85f31e29a94fc873061839ef72d7a270

SHA512
725fbe2566619346967ffe80d1468ea47479b3542e82c8339d7122ce8259f0e4c5073a4d01b0422f07a31364d73338b7d200e2ac8db7cc49146707c709afd9a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
37510cc5c6d45d3d8535c714e43beb7f

SHA1
051f5fb1cd328299a10af965722bef380b43fbdc

SHA256
41697da0eca3d33bab81f8596515cb016ef5529793ceef6ca13b14c95afe092f

SHA512
e098e63a2bf59071059ee5593d8412d1db849625c1b25beaf5c8a9b237f146bf7c5b66c29429726312e9657b843a1e8710266ee230f8b7a690a535eb8c70f1c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
65cdbeafb9afbe1e13774418776689cb

SHA1
f5dc8f2f7d56d9ce2417f4671835986ab712f100

SHA256
86136c68006634bd0791af0ba3d439e0f76b2764eebacd255eda46eded710e3e

SHA512
c746d05372ed5b934e5b0f01da004893e355d5a90b5c4ad2b842b5bc9d68dc2a691f0f41059f26785807adc738cb6098241d36d8544ad441592490052b23e07e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab35fc2986d220a7a2a9cbe1eed3028f

SHA1
0816f85b2c23bb82cf9668dbb54f47377870982a

SHA256
857b03f056b8d4eb2cb315f0fc5e3ddd13adabdeb57f8e0c006d893aa08b3c4a

SHA512
30756386abe114f1b02bc4df4e597b8de0094980218bb04a091de73a59595a7dd2782ceb6a479485723e95a4409e4d4c339bae87cebd23daa4c5e8a0e051943b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
100090538e0bf8eca5ba6c4e80c1df1f

SHA1
585d9450ba830a8d8040ad652b6d7186232523a7

SHA256
bfc7353602f36d2cdd13cdb3c1464bbaa3a286003fad0e695edc61bc1db06060

SHA512
e4cb4a7218b7bd9a2e14cd7f5c6e30a217c45e21f3b84d7191f39462ea797c543a59afb905d9e3663aaafacae1ce5368611a4adeb66c016114e233f22341084d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
553daacdf55d9dd26ed8c27fd69a2850

SHA1
7c14af9b35db10d911e780f7bb248dcc1bd1479c

SHA256
1964e84f1d75121aa86ee1329130da0ea414be257ab0087a784b1f6f46ee16cc

SHA512
f0a128f5294f8dca0cdd75270ad53619a9cfa3736f49c98816960227d3f736b064721242210df1c4d563848073cace9a6461f8f2825a8e1b9ebfd39982137b00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
246KB

MD5
4ba1dbbf6c43bfca9df7129b6e77a7a9

SHA1
1ab24f9da7806a4856b5b4617ad9093427a550c1

SHA256
52439dc8ec951fd80c1edd47d25bfdb1da34c147b97cb7e70d652cfe43b14e5d

SHA512
6c6f85a7316a4157b1beffd1a9be6946d5b66dd3142a8df61b7c586ff015f8e657f9317d4316677ea06027978a6cc24cdf976dccc7549c64145f8f5f21eee212

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\r6cx9989a6-readme.txt

Filesize
6KB

MD5
4e1f3626cadb3d6959ac23807555edec

SHA1
28c125ad7efd3eb0ccb295671897a5b2edadcb13

SHA256
cef20ffb037c8d773df5c44b41c328ae9224a53f0879ad1e4ea554367fffbc61

SHA512
eb3ab0611049a728c9ca6c35bd7e513a10b72353b765fb965f25b5e525510a5f5a674aad01ef30744e0219a80cf9e26c604ef77b2f73ac524a97d50507499fda

Download Submit