f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

Resubmissions

10-10-2021 08:37

211010-kh77dsffh5 10

10-10-2021 08:28

211010-kdbbvsfgck 10

Analysis

max time kernel
307s
max time network
310s
platform
windows10_x64
resource
win10v20210408
submitted
10-10-2021 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chaos Ransomware Builder v4.exe
Size

550KB
MD5

8b855e56e41a6e10d28522a20c1e0341
SHA1

17ea75272cfe3749c6727388fd444d2c970f9d01
SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512

eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Wallets

bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4100 created 1336 4100 WerFault.exe PaintStudio.View.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1820 bcdedit.exe
2824 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3652 wbadmin.exe
Executes dropped EXE 3 IoCs

Processes:

EnableOpen.exesvchost.exeDecrypter.exe

pid process

820 EnableOpen.exe
3716 svchost.exe
2156 Decrypter.exe

description	pid	process	target process
PID 4100 created 1336	4100	WerFault.exe	PaintStudio.View.exe

pid	process
1820	bcdedit.exe
2824	bcdedit.exe

pid	process
3652	wbadmin.exe

pid	process
820	EnableOpen.exe
3716	svchost.exe
2156	Decrypter.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exeDecrypter.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnableMeasure.raw => C:\Users\Admin\Pictures\EnableMeasure.raw.mqu8	svchost.exe
File renamed	C:\Users\Admin\Pictures\FormatDeny.png => C:\Users\Admin\Pictures\FormatDeny.png.0nau	svchost.exe
File renamed	C:\Users\Admin\Pictures\WatchStep.tif => C:\Users\Admin\Pictures\WatchStep.tif.8ken	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\EnableMeasure.raw.mqu8	Decrypter.exe
File opened for modification	C:\Users\Admin\Pictures\FormatDeny.png.0nau	Decrypter.exe
File opened for modification	C:\Users\Admin\Pictures\GetWatch.tiff	Decrypter.exe
File opened for modification	C:\Users\Admin\Pictures\PublishDisconnect.tiff	Decrypter.exe
File opened for modification	C:\Users\Admin\Pictures\WatchStep.tif.8ken	Decrypter.exe

Drops startup file 6 IoCs

Processes:

svchost.exeDecrypter.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.jc7v	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	Decrypter.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 35 IoCs

Processes:

svchost.exeDecrypter.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Decrypter.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7qhhqvq17.jpg"	Decrypter.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4100 1336 WerFault.exe PaintStudio.View.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

pid	pid_target	process	target process
4100	1336	WerFault.exe	PaintStudio.View.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3672 vssadmin.exe

pid	process
3672	vssadmin.exe

Modifies registry class 64 IoCs

Processes:

Chaos Ransomware Builder v4.exePaintStudio.View.exeexplorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f4ecfc87702cd701011c968a702cd701b2928c8a702cd70114000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

508 NOTEPAD.EXE
1712 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

svchost.exePaintStudio.View.exe

pid process

3716 svchost.exe
1336 PaintStudio.View.exe

pid	process
508	NOTEPAD.EXE
1712	NOTEPAD.EXE

pid	process
3716	svchost.exe
1336	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Chaos Ransomware Builder v4.exeEnableOpen.exesvchost.exeDecrypter.exemspaint.exePaintStudio.View.exe

pid	process
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
820	EnableOpen.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
3716	svchost.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
2156	Decrypter.exe
1220	mspaint.exe
1220	mspaint.exe
1336	PaintStudio.View.exe
1336	PaintStudio.View.exe
1336	PaintStudio.View.exe
1336	PaintStudio.View.exe
1336	PaintStudio.View.exe
1336	PaintStudio.View.exe
1336	PaintStudio.View.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Chaos Ransomware Builder v4.exe

pid process

740 Chaos Ransomware Builder v4.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

Chaos Ransomware Builder v4.exeEnableOpen.exesvchost.exevssvc.exeWMIC.exewbengine.exeDecrypter.exePaintStudio.View.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	740	Chaos Ransomware Builder v4.exe
Token: SeDebugPrivilege	820	EnableOpen.exe
Token: SeDebugPrivilege	3716	svchost.exe
Token: SeBackupPrivilege	2976	vssvc.exe
Token: SeRestorePrivilege	2976	vssvc.exe
Token: SeAuditPrivilege	2976	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1316	WMIC.exe
Token: SeSecurityPrivilege	1316	WMIC.exe
Token: SeTakeOwnershipPrivilege	1316	WMIC.exe
Token: SeLoadDriverPrivilege	1316	WMIC.exe
Token: SeSystemProfilePrivilege	1316	WMIC.exe
Token: SeSystemtimePrivilege	1316	WMIC.exe
Token: SeProfSingleProcessPrivilege	1316	WMIC.exe
Token: SeIncBasePriorityPrivilege	1316	WMIC.exe
Token: SeCreatePagefilePrivilege	1316	WMIC.exe
Token: SeBackupPrivilege	1316	WMIC.exe
Token: SeRestorePrivilege	1316	WMIC.exe
Token: SeShutdownPrivilege	1316	WMIC.exe
Token: SeDebugPrivilege	1316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1316	WMIC.exe
Token: SeRemoteShutdownPrivilege	1316	WMIC.exe
Token: SeUndockPrivilege	1316	WMIC.exe
Token: SeManageVolumePrivilege	1316	WMIC.exe
Token: 33	1316	WMIC.exe
Token: 34	1316	WMIC.exe
Token: 35	1316	WMIC.exe
Token: 36	1316	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1316	WMIC.exe
Token: SeSecurityPrivilege	1316	WMIC.exe
Token: SeTakeOwnershipPrivilege	1316	WMIC.exe
Token: SeLoadDriverPrivilege	1316	WMIC.exe
Token: SeSystemProfilePrivilege	1316	WMIC.exe
Token: SeSystemtimePrivilege	1316	WMIC.exe
Token: SeProfSingleProcessPrivilege	1316	WMIC.exe
Token: SeIncBasePriorityPrivilege	1316	WMIC.exe
Token: SeCreatePagefilePrivilege	1316	WMIC.exe
Token: SeBackupPrivilege	1316	WMIC.exe
Token: SeRestorePrivilege	1316	WMIC.exe
Token: SeShutdownPrivilege	1316	WMIC.exe
Token: SeDebugPrivilege	1316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1316	WMIC.exe
Token: SeRemoteShutdownPrivilege	1316	WMIC.exe
Token: SeUndockPrivilege	1316	WMIC.exe
Token: SeManageVolumePrivilege	1316	WMIC.exe
Token: 33	1316	WMIC.exe
Token: 34	1316	WMIC.exe
Token: 35	1316	WMIC.exe
Token: 36	1316	WMIC.exe
Token: SeBackupPrivilege	3268	wbengine.exe
Token: SeRestorePrivilege	3268	wbengine.exe
Token: SeSecurityPrivilege	3268	wbengine.exe
Token: SeDebugPrivilege	2156	Decrypter.exe
Token: SeDebugPrivilege	1336	PaintStudio.View.exe
Token: SeDebugPrivilege	1336	PaintStudio.View.exe
Token: SeDebugPrivilege	1336	PaintStudio.View.exe
Token: SeDebugPrivilege	4100	WerFault.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

werfault.exe

pid process

2300 werfault.exe
2300 werfault.exe

pid	process
2300	werfault.exe
2300	werfault.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Chaos Ransomware Builder v4.exemspaint.exePaintStudio.View.exemspaint.exe

pid	process
740	Chaos Ransomware Builder v4.exe
740	Chaos Ransomware Builder v4.exe
1220	mspaint.exe
1336	PaintStudio.View.exe
4716	mspaint.exe
4716	mspaint.exe
4716	mspaint.exe
4716	mspaint.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Chaos Ransomware Builder v4.execsc.exeEnableOpen.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 3268	740	Chaos Ransomware Builder v4.exe	csc.exe
PID 740 wrote to memory of 3268	740	Chaos Ransomware Builder v4.exe	csc.exe
PID 3268 wrote to memory of 1708	3268	csc.exe	cvtres.exe
PID 3268 wrote to memory of 1708	3268	csc.exe	cvtres.exe
PID 820 wrote to memory of 3716	820	EnableOpen.exe	svchost.exe
PID 820 wrote to memory of 3716	820	EnableOpen.exe	svchost.exe
PID 3716 wrote to memory of 3460	3716	svchost.exe	cmd.exe
PID 3716 wrote to memory of 3460	3716	svchost.exe	cmd.exe
PID 3460 wrote to memory of 3672	3460	cmd.exe	vssadmin.exe
PID 3460 wrote to memory of 3672	3460	cmd.exe	vssadmin.exe
PID 3460 wrote to memory of 1316	3460	cmd.exe	WMIC.exe
PID 3460 wrote to memory of 1316	3460	cmd.exe	WMIC.exe
PID 3716 wrote to memory of 1124	3716	svchost.exe	cmd.exe
PID 3716 wrote to memory of 1124	3716	svchost.exe	cmd.exe
PID 1124 wrote to memory of 1820	1124	cmd.exe	bcdedit.exe
PID 1124 wrote to memory of 1820	1124	cmd.exe	bcdedit.exe
PID 1124 wrote to memory of 2824	1124	cmd.exe	bcdedit.exe
PID 1124 wrote to memory of 2824	1124	cmd.exe	bcdedit.exe
PID 3716 wrote to memory of 2184	3716	svchost.exe	cmd.exe
PID 3716 wrote to memory of 2184	3716	svchost.exe	cmd.exe
PID 2184 wrote to memory of 3652	2184	cmd.exe	wbadmin.exe
PID 2184 wrote to memory of 3652	2184	cmd.exe	wbadmin.exe
PID 3716 wrote to memory of 508	3716	svchost.exe	NOTEPAD.EXE
PID 3716 wrote to memory of 508	3716	svchost.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qx1ftn2b\qx1ftn2b.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7309.tmp" "c:\Users\Admin\Desktop\CSC182DD043AD604E74BBA19C8E59C89B41.TMP"
3⤵
PID:1708

C:\Users\Admin\Desktop\EnableOpen.exe
"C:\Users\Admin\Desktop\EnableOpen.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3672

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
3⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1820

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:2824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:3652

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}
1⤵
PID:1352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2376

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\Decrypter.exe
"C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\Decrypter.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SyncPing.css
1⤵
- Opens file in notepad (likely ransom note)
PID:1712

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ce69b18b430941e98e29b207b5d28b21 /t 2940 /p 1712
1⤵
- Suspicious use of FindShellTrayWindow
PID:2300

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\FormatDeny.png" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1336 -s 3740
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\RequestRestore.jpg"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4716

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:4808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\Decrypter.exe
MD5
97f3854d27d9f5d8f9b15818237894d5

SHA1
e608608d59708ef58102a3938d9117fa864942d9

SHA256
fac94a8e02f92d63cfdf1299db27e40410da46c9e86d8bb2cd4b1a0d68d5f7a2

SHA512
25d840a7a6f0e88092e0f852690ed9377cf3f38e0f2c95e74f8b2ffea574d83c6154cccdbf94f1756e2bbdcdb33b5106aab946644dedc4ffaefb6bf57a866696

Download Submit
C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\Decrypter.exe
MD5
97f3854d27d9f5d8f9b15818237894d5

SHA1
e608608d59708ef58102a3938d9117fa864942d9

SHA256
fac94a8e02f92d63cfdf1299db27e40410da46c9e86d8bb2cd4b1a0d68d5f7a2

SHA512
25d840a7a6f0e88092e0f852690ed9377cf3f38e0f2c95e74f8b2ffea574d83c6154cccdbf94f1756e2bbdcdb33b5106aab946644dedc4ffaefb6bf57a866696

Download Submit
C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\privateKey.chaos
MD5
9bf57a8128e673a5000c38a5ae07b5a9

SHA1
beaa1b02fc854abc8a22a8bcb0c3639c94e64d82

SHA256
1da24d314e389c12aa5c840708052da138ea15b7e9d8d86dfbd49e7feedc00c1

SHA512
7ef215ad43acf4c3d7c82f318b3504ea3f75be2489dd50ab6586506c9cfdbcdc16db37d5634c9adeb6aeac4134dbcd70b2150c0d42f7559ba2e3c578e11addcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7309.tmp
MD5
5c8481c7535a5b04fdb09f39a1b5cdf2

SHA1
ccff2fc586fea3154be793ce5cdbe2f8c18ad58c

SHA256
cfa3d60e633c23aa53438f74d8c7916ae56a559a724d54c2d44adf9b2cc78be4

SHA512
342f0112bbebc74f32b26bbdc604033e9a5376b8f1771cebdfac6b7110eeb920e1b471bf84a35df1399fba18ed306018cc3e4434d6046f7db4781548f78db04b

Download Submit
C:\Users\Admin\AppData\Roaming\read_it.txt
MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
ecbea448dca15b71304c380193acf405

SHA1
f895efb42e7e858300638be742694b7a96be2207

SHA256
91b3affb278a269314d469198faaf96edc526e0b35979ece5ed17a44a4a045d8

SHA512
df18cb14925933e9d8c9750532eb00cddc0cd8710ca05070ed06643334c70396986921c33dd3251c4fcc1a76d4d65dc56bc3b65656ea56822a11ef9e59258ba2

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
ecbea448dca15b71304c380193acf405

SHA1
f895efb42e7e858300638be742694b7a96be2207

SHA256
91b3affb278a269314d469198faaf96edc526e0b35979ece5ed17a44a4a045d8

SHA512
df18cb14925933e9d8c9750532eb00cddc0cd8710ca05070ed06643334c70396986921c33dd3251c4fcc1a76d4d65dc56bc3b65656ea56822a11ef9e59258ba2

Download Submit
C:\Users\Admin\Contacts\desktop.ini.qodr
MD5
449f2e76e519890a212814d96ce67d64

SHA1
a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd

SHA256
48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7

SHA512
c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

Download Submit
C:\Users\Admin\Contacts\read_it.txt
MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
C:\Users\Admin\Desktop\ConfirmExpand.ppt.iwbo
MD5
9d87f14ffb96dc56b4cdaefe479d4621

SHA1
98cde44a91008be0802f3e377c0d61d844fc19b3

SHA256
177f49e98e4c698993c4ca9bfeca5d9e2f45a51e5a6a39d26501c27920d9999b

SHA512
00474ddbeee8761be7ff8bfa85559ce7db7f4502c232b382e5e9cc7dd705df6cce56aae30e69eb67dedfa41db763ecd0bb88b34fb7aa3c5d7cf0c5f0aebd2cdc

Download Submit
C:\Users\Admin\Desktop\ConvertFromRevoke.doc.5ht6
MD5
6a00253c6a8cf085b8958893575e4940

SHA1
a996b3c29013795af24f7a87cc446e386ec6c35e

SHA256
a30338a89c68928c0f39f85c7415bc5cf7de15f934e29794d8284a0edcd41560

SHA512
bac46b81edd87022ba79cce5cdc4dbac0bed6b21c0d16489d4486520e2f265eff425a4d04307955f92bae4d1ea2874b1566b5df990411ae7de0becc4c08dffb9

Download Submit
C:\Users\Admin\Desktop\EnableOpen.exe
MD5
ecbea448dca15b71304c380193acf405

SHA1
f895efb42e7e858300638be742694b7a96be2207

SHA256
91b3affb278a269314d469198faaf96edc526e0b35979ece5ed17a44a4a045d8

SHA512
df18cb14925933e9d8c9750532eb00cddc0cd8710ca05070ed06643334c70396986921c33dd3251c4fcc1a76d4d65dc56bc3b65656ea56822a11ef9e59258ba2

Download Submit
C:\Users\Admin\Desktop\EnableOpen.exe
MD5
ecbea448dca15b71304c380193acf405

SHA1
f895efb42e7e858300638be742694b7a96be2207

SHA256
91b3affb278a269314d469198faaf96edc526e0b35979ece5ed17a44a4a045d8

SHA512
df18cb14925933e9d8c9750532eb00cddc0cd8710ca05070ed06643334c70396986921c33dd3251c4fcc1a76d4d65dc56bc3b65656ea56822a11ef9e59258ba2

Download Submit
C:\Users\Admin\Desktop\ExitPush.xps.sa0s
MD5
9d18fcb4bb1b9fd6dd3f419787f5f920

SHA1
ee0495d98d8277f82830e640a4863e5e48aad31b

SHA256
184c526b6d8d03c0684fa3b31558c950203afcb59aeffcd53befcf8af001f849

SHA512
2885b97afd7ca7cc87f7a97e9b4f617663865cedef683a57e61b009363535ba540235c5a149a40b65da16d41fe0ea299869b81f41daff986eaded16e0235f3d1

Download Submit
C:\Users\Admin\Desktop\JoinInvoke.sql.tuku
MD5
c29edb51e6f2ea32f9109fd7d58c337b

SHA1
272ed6b12c2e73ad4a033ecd374d67221726c089

SHA256
5dc749f82d2ff955f3371551588faf73595d4237cd7fedc0874ec67dc6989656

SHA512
fcbfe03237a99ff814fa0f9d31a5709a93bdc1aa9601e3e0391999f524aed0fe9067fabaf6cfe11af3a6d99eba3da13b086732ac449632363b0a395911d96805

Download Submit
C:\Users\Admin\Desktop\JoinReset.wav.h1fx
MD5
d600405f3b1353336baba1ae6b329153

SHA1
4bf8ec0150bed8b99cef6d26dcd26aad779ab0a7

SHA256
2b6bf3b0e7f174738d4c63297f88a36ef899f9179552429b9e5a702cddcb07a9

SHA512
9cb95e691248f8c434ec1d6c917d67b65025eaf370ac05c9d31da5c7ca6d6a003827e93d32d04a1e80687ad5e737124d1eeb4fa9abfe326852e48d3f87429e94

Download Submit
C:\Users\Admin\Desktop\RestartAdd.xlsx.knjm
MD5
d047644ebf4a51eb84ead712d5922498

SHA1
e94084639101d2e4652907cf261cb405db172f93

SHA256
f1c3a5b62331345bd08425bf798d09f50c6c15cfabef68bc5575dcab39f113bf

SHA512
1729bb7ed63b6a4c15829bb079465897f7743d49641649be5abe5032503b3cb8aa8e1e8e310a353c160fbda6524996e779afd53ec6082782086ce9bcb2e054fa

Download Submit
C:\Users\Admin\Desktop\RevokeConvert.xps.9iow
MD5
1ca0b6d16a67adffa45a3bd9e7313ce7

SHA1
57de73eb764d69b8f63b3199268798ada29463f1

SHA256
2ac3f9c11a325923fb5e21ed1bdfabf3d9ff3f29da1aa1c1bc03fcbb076f181d

SHA512
8f17b6e6e9ce0ce8ebb97ea07ef20684bbcbe8aefd0ec91c68bd35d98fac343692cf86231204f2967120cbe438abdbbb9c8f583d04d6b4b97a6268da1f3f4719

Download Submit
C:\Users\Admin\Desktop\SyncPing.css.nzl4
MD5
8da5c798aeadd2cf18d8c5983b5b8bea

SHA1
1395665d4e02f5970fa12fccc4558f16f56b47f2

SHA256
1c68471a4982256a63db4d6fd997330e9355fa8d57865c06cb068ba7af81e749

SHA512
9cd4d2b8b23eadabebde46170dee427004c9c490d5eadcfb0d6192c95aa57f02a8bcca61264ccdd7b996d57ad0d75887c24370ccbc3c6c81efd67287328ca2fb

Download Submit
C:\Users\Admin\Desktop\UnregisterMount.css.vbtz
MD5
101b9edd3fa776df2d6334cb2b8d63c8

SHA1
21e456ee886f1e86ac04a5531dc3d9ba2ccb374a

SHA256
40d9d0b648d54b783c4549a5badac139426d0fcfa59b27d5a5622edafb31ff55

SHA512
9a20aaa65483d81bb1dbe13f003b0cbda41a67107e5e8ad39aa76d3e86d1656e17a27e1ddc6e7d9bb70169ddd3a27af0909fb63388cfc89b0ce17f2b3116a4dc

Download Submit
C:\Users\Admin\Desktop\UseMove.lnk.r0x6
MD5
01abe1332c6d1651a551c1c5d0d75c74

SHA1
4751bf5edfbb196f6fc13b9e4aa31f882a0fc168

SHA256
d76477c0587c7687d7d550248cfeedb8230d124710a4931037273050665b03ec

SHA512
a192991db4b2788071db0c3364c267e924abf1e8710b5b5c2e4fd3531844bb2704ef85890302dbe48d2e24b4a830ef4c51a901db2369e0ce883cb4b048c84b4d

Download Submit
C:\Users\Admin\Desktop\desktop.ini.82yd
MD5
c1591374eadc2c8f72eeee4553441278

SHA1
8165a5db4101aadc3034eeab286786f783cdc10b

SHA256
80379796a7ce1a082c210d61a6d1f204a30d2e9fac93cab0e0c16115f986c5dc

SHA512
954f0650d17a9f9f4f3619d4fcf3f3bb6ca4309a15090c6f8c1ebdabbc347da8e5693ee0d21eca5abf62a778438befe5ac87b2b37d99663398fd0c8ece3ec710

Download Submit
C:\Users\Admin\Desktop\read_it.txt
MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
C:\Users\Admin\Documents\Are.docx.7h60
MD5
32337da3dc9c784eda42ac2ce7900649

SHA1
885f087208265820e1bacc5668bad6859a43e1b7

SHA256
6e80422212aeb770359071dade6da1a6d35be2a76a174dfb90ad84fc69230bf2

SHA512
d22f0f467c8fed8d0fb536f0d6afab718e2687b79a3f2e48bcd982bd4a7719d38ced1fc7bd8668eafb1c2b0b095a837699e4996c0438833e775ba0e3839b0e84

Download Submit
C:\Users\Admin\Documents\AssertDisable.xlt.nbz3
MD5
6b6e7c583c0da09372b9536be7f23ef4

SHA1
08273af688313e9957b5a11df13e28c922d854b3

SHA256
7b8f5c45540331eb0ea56afd02a4ba6d4892852fcc3e31d5d840bbdc6bed5eba

SHA512
6da84fe16cc58a51c942a5d6eea514fef11b04744ec27c515b350ba1c57aee8ef1953460b782ac309470adb7f251522bcc61513c82db75e2cdf851725f9c78b6

Download Submit
C:\Users\Admin\Documents\CloseUse.docm.z57r
MD5
542f19a2e7875a7cb02b2a0909837c67

SHA1
4ba8cef7f268890b906982e6ea0866afbe1386a9

SHA256
3e3120a0f125988d7635ad3f70d49599dc2136806e953df364f31134edbdc5bc

SHA512
c50111e448f3d0e41c66bcec149c9c5fcd16a5d780381bbe5874e73b9273e5a2e21067ff8edb85e9339095e30c3add79cab3508f87254d4cc7fc349962568a94

Download Submit
C:\Users\Admin\Documents\ConnectRemove.docm.bvcr
MD5
69a417edb12ee76c9e8f1666cf7138e0

SHA1
14436a1ddfb1e9a407965602354811e9d77338c7

SHA256
b1c6a31c274b221a89867cc67fca4cf476dbce62667404256cca3c6993169cf2

SHA512
8e7245d87fe89fb4512a4c6963d9abae9057958c58348f650ef19ca4b8221988ae1b4e404b92df7410a0f07678df1a28bf13d588f4dcef1e3241c0618b4b3788

Download Submit
C:\Users\Admin\Documents\CopyCheckpoint.html.ej93
MD5
cd80df17c14acc5ce69abc45ef0632d8

SHA1
cbb45639241d130f22719c64203d0cd93ef57634

SHA256
e3db760b94541f627f5292ca3435452d6cb481251352cb1714e2d5de516c1f96

SHA512
867b51239ff527ecbc130d3bf232434750189c2e19a6a8a80acacd2fe2eb915ffb5732890cb8cf9e4a9771478befc4ce1b3482ec0764de3db1aad01f82a78a9a

Download Submit
C:\Users\Admin\Documents\ExitNew.mht.yyck
MD5
4c59b3efb7b35064f6fc8ff2ebebabc7

SHA1
e379b367dde7564ca4f67db5acbc927b74e624f5

SHA256
3389a879b2ab6b9fcf7e6003f66fc55c7c2c5c64300c8b813c65ce135fe4c599

SHA512
18314d58763b2dcab90e9c992d6c3813d086c30ec92f1dc2bf88530e3419f0b32a1a09b2272e201613caf73f85d7d99c1419646cf63b94f92c146ac2d2d71144

Download Submit
C:\Users\Admin\Documents\Files.docx.04oh
MD5
a1a6ed63af4caec676f300d79c056aa3

SHA1
3ae361a2202abf9c1ccc1ffbe70085a85243bd4a

SHA256
c6d74a4267a5eea0ec25f12251af6b2827eb90b27f4ceda7896ed4c0c61c95ca

SHA512
c7c26cf03bf94da884eb1f623f5197b2858dfad6ba505e33df48129c491a55eedba3bbc378785874a70b7528610a2fb2237291f9747c3fcc485a8ea8bab8a929

Download Submit
C:\Users\Admin\Documents\InstallInitialize.potx.7b1j
MD5
c86db489d9d7641183f44972fba7ac7a

SHA1
37f00f21d56fb8fa1f76e685581883c5bd1833d1

SHA256
7a5aa5e3417a5eea9e39623106a07631c7c92f8714412f930bdb0f459d295cc5

SHA512
e8e1c3ae0c920839a1958a8d4d5abbf8e1fa554743c75930c683aa9248c5c5946eb84f09e28e988fa74317f84d223146f86d331d4519c38e92d12e73d3cdd334

Download Submit
C:\Users\Admin\Documents\JoinResume.xps.37sw
MD5
476ee6d411513f4f0f892906203ee5a8

SHA1
0aa1dec8b487bb4a8cc1d57be066d34c7ae6c880

SHA256
a48d7d4012991dcb2da91bb417d9a608769c3d71b33785c231465a6872b4588a

SHA512
88027fded4a2a5ba1aa0ba2794e2772b88080529f65e978147f4a922f6d17268bdc9fcd36a2173ed86cb01e76a37a3446936cf1b55a2d1c14528fc127e985913

Download Submit
C:\Users\Admin\Documents\LimitDisable.potx.1f1a
MD5
2ea360b627f3f72f5699ea9eb4bd5014

SHA1
23215a01e858b80b08a34ac3094f74cdcf78e78e

SHA256
d0b15d8bb748f5d5238aba9c88e412470e5a36f608ae5283b48e7f956d42e6c3

SHA512
f8697169a6f2c71c9e0e74b4048beeeff6ae37ef4d405aa1bc7cfc87a655377863866930ecb911a31880dc3961a9f946b8fd7780fb75e29f413c08e38c19e479

Download Submit
C:\Users\Admin\Documents\LockPop.pptm.2cz8
MD5
8d5a4b0473ec74587c5b49adc736c377

SHA1
b608bdcbea73ee3b0f7af59304527cc5d111889f

SHA256
a0fe9527b4af1a8dc283705333f2410c4e950bfdea595bd8de86c4b76e791d2f

SHA512
7b4b6e42c5ba9984ba3d67ed5766f6357ffd4485d8244ae12320a93c6a6eb3ea0906c9dd2143cdf397babc5b2748f44fcc4205785eca2625b4f4d679bd1236a7

Download Submit
C:\Users\Admin\Documents\LockRedo.ppt.asmh
MD5
8952f4979064377bc754964f91a899a6

SHA1
b40be56cd49e26b1d3da321927fb5b3e024a6e2d

SHA256
1edd9848a03e2bc6a4365b477e1faa8038bc4857dde99d1bbc1b2ed5b6377ac6

SHA512
a8f98896b9a96d6c5414c252834e3e5ff8c8c23131a821871b4402bfa5a7c31ee1517c6ab11953e4d4cf9105b636718d95dcf2283c251bf670e4bcbedd30403e

Download Submit
C:\Users\Admin\Documents\NewSwitch.docm.ojdf
MD5
16ce8f4684f776b664eb9a0e299ed172

SHA1
f10bccc326d052d4de1b5879919074a173f95a9c

SHA256
63d7d68b8c08965c9344fb6364b250625ac65509bf55904c347097ee0f884e24

SHA512
48cd76c500643203294f31d6b2ca5807376d1930453daafa6473f970b28d47946c07db47d5a779f2ecb7045c582287606a0c1e849e88e297bb4cb2eb964d72ad

Download Submit
C:\Users\Admin\Documents\OpenFormat.wps.9pd4
MD5
a0d3f18524bf884decbfbe8aaee217c9

SHA1
380775703ab4f1596f00b5b1e18b88d7e73805a6

SHA256
cc98e4749b3cb66ab3ddd62f2d53b88fbd7397cf4b5e18517dd97d5928195dd7

SHA512
b10b6bac0dd441d5a4685a3494d57ab5c0c1e417581a02206b08c041cdde1a6aa94d8a5d0696557b5b2681e909b9250b44c56b26d8139421d92dcced79d8b41e

Download Submit
C:\Users\Admin\Documents\Opened.docx.1wcz
MD5
ddf79fff3beca8ab9f7b6165bbe85e0f

SHA1
a1099772ca1a33f4664a2033ba9cbd4508332f94

SHA256
ea78409043e109cd7240ac5955ee22b56c5be2223461be3152317af69dc955ed

SHA512
6470e9e00067f88e5c683a95846238e80116a0a404c0f6666b1176fbdab6b99025196ea409aa946bffd018d3f2ff6bb00659cf83c92ae9902bcec473cef6667c

Download Submit
C:\Users\Admin\Documents\PushConvertFrom.xlsm.r0t9
MD5
2500d80e863ea71dd5a1ef61654b3f2f

SHA1
7148a165c9e4b3aeea56248d0cb72395e6d542f1

SHA256
bb328014d6b7a721f1a171f38355d29220db6ef60b7797ceab5a6ee052ea10c8

SHA512
6c544c8a33eebfce4aa445d5104888afacfe749c84f8bd2f5a33858d5d374bb592909629e3a3f1232485566c2b675c22cd8b6f3e3378851d925091e3974d851c

Download Submit
C:\Users\Admin\Documents\PushRedo.mht.33xh
MD5
4218fbde8b26547cf7cdf3cde98be61d

SHA1
e121d23af4d17ce9ba6425059340cb4d24aab083

SHA256
413bd74b4bce39a5ee59d9dc9e0664057e03e7017e7c2041b1147a191479a664

SHA512
c42dd775906918bf38f71b43bbc3d62594a57211630211ebaadd17b3a08f2d2f33c57859752c404d952f9d5847b763ec3118b9d7d529c8e6c7c0238c8f46a8dd

Download Submit
C:\Users\Admin\Documents\Recently.docx.0ncj
MD5
bed01b326da766584a1856957004f3c7

SHA1
6784fb0f738022c4942d48dec24335e2bb60dc20

SHA256
04dd9098e8e0942c974ad69cfc3d802c46d4e65f5bfde6a6ae155d4222101597

SHA512
06306bc8d4053d7898740ebe65d515fc26fdc5517d3a3ed638faf506a5165db047a4ed518a5235c8149c4f727528439f56c5cf3982a2e01139bbbe3033dcf0ac

Download Submit
C:\Users\Admin\Documents\RemoveCompress.xml.aprv
MD5
91f77f26ce9230f7255844bfebe568e4

SHA1
6328526f5b9458dade79745752ed17ff714b07d3

SHA256
485edfda361afc8674c27eeac874bba9099c58e8955735f58b4f74eab634bc85

SHA512
1d21633d1bb73e0be59e78622f58aa6811343af2203f1f35837db8ef20e18495d63ee842e19b6300adad19762aa1862c571affaea44f8122142268f3876af5a4

Download Submit
C:\Users\Admin\Documents\RenameWrite.docm.8dkh
MD5
4c0bc855d30b04e21b1241e993de7712

SHA1
93b4ece08659ee4a66eee07cdab78e57090d8622

SHA256
33bda5303cb332de1ca4f93a9c09e0d0c74319a57f58b5b1c4f57e6964ae702e

SHA512
6ca986bf99d133a2d2d8b536c6ff9c270782e1eecf53e6bb92bbb4f44cc5117032af7e0a71e3d604dcc5a3a37014c2cd56babea17ef1231be22f997c7ce866e1

Download Submit
C:\Users\Admin\Documents\SaveConvertFrom.ppsm.rh2x
MD5
8a6fe1841c2a9558b4adc7c2014a23ea

SHA1
864c5f99d76f288db7e7fddd624cff46c356323a

SHA256
5d3d986251a8a267e70b3bb9ab7f2c6f05852164d22485020a88081fa72917d4

SHA512
d8d7612aab2641f9e635eedf701c40b3bacf2fa06a8384dd0f72c65c9ba2028a0d58f2f96cb9affb09a3c28e56da6cea562d60d748acab2772b66faba9c41a1f

Download Submit
C:\Users\Admin\Documents\SearchDisable.dot.8wrg
MD5
f4279cf01658619affdfe37f04784a01

SHA1
e7be16b20a21be7f6db10ee1b40120a2709c6d26

SHA256
b3bfe0044a7299e3164ab63ecfe1976762714921a8d66bbc3c652eb2cf83c481

SHA512
2df2f4b6452a0e8e0be898dbce2bb7b935f57afe8aa9450d766b76ada200bf68421b8f806a8180428f85cf6636648ba5765680ebc69628af617928ac22cde3bb

Download Submit
C:\Users\Admin\Documents\SelectInstall.potx.43xm
MD5
21fe71c91fd61ed27370dd5f400c4ca4

SHA1
706a501c3bb836f1a2355a25b42d290c2663b554

SHA256
fee759584dba8b5158f942889446617097f120e4e85fae75b2a6826cbbff73dc

SHA512
659f39d9ae59b5807cc1263fce3b43c2c19dea9da029412d374f78d0a31e85b818e6765248edf7c251e7184efc0f45e8d54a3cbfff0ff10caed28a298c4dc23e

Download Submit
C:\Users\Admin\Documents\SplitHide.doc.b7sb
MD5
04a77d614c0a276f11b41234723b7a8a

SHA1
b1d564330d0dd47d740e7f4f9cb9aa786a583783

SHA256
4dc90d1dd9fb5efb5ca73ab42cf151a5f4b442cde639ca86100c509abf372e7b

SHA512
e142a75446f1fc0c79064cb8f6f0ab692af416f45a8d15c21619e8721564b4327ee7debc6889fd472a343f5ecdc991914ec42f94560aa202266242b4b755c931

Download Submit
C:\Users\Admin\Documents\StartOut.xml.szfh
MD5
9b086b0b172a03590494701c5b6676f7

SHA1
5c486e1137d724eac4772da23d481c32581342d9

SHA256
362e4b139e6eb9116cfa218dc7d363a7b06f5825ef4e8680c7bf6e3172a3b308

SHA512
9e13877f784efc8c9363fa914633597db939c44c4a22fe10dd79f82cef197b4f16d068c2d81514fabeb179fcbf2e161bf8b34a6da12400bad43f44d1a1ad05b9

Download Submit
C:\Users\Admin\Documents\StartRegister.doc.4fqb
MD5
fd6f3fc05d8d9ac12447ea0e74b36183

SHA1
8cbd2fb89e1844e5a8847ee27cceea4991dcca3e

SHA256
a6219189b023e52cc0c7bf2ef6e465b791860fc753a3ee438c7297a197132a9b

SHA512
e1b3c7bcd67d371a0a1747609f1587b1f732b59d471fe5cc76088e0b54fef5619fa7f33c1d834a5417685d57d077b57a8cc6e1e71392ec166075cfbf63a178f9

Download Submit
C:\Users\Admin\Documents\StepWatch.ppsm.h3em
MD5
8381458a5324b6f3f2a57ae413a2958a

SHA1
7fd50adcc5e8c89e98de8a4a2b143443626370d8

SHA256
628785c6876c483955b1c1680aacf2c5203cfc3fa869231fd473431dfb1d4433

SHA512
f4dc01744a16ad6400b62c48dc95afed50cb4e9e32769377e27b6432fd43b2ec1a1c84a1c1878642d8a5f3387b0c2fe11536e426f9097345d5c76f8013038fd9

Download Submit
C:\Users\Admin\Documents\StopPush.potm.eq05
MD5
a647c4168c7390b353b7bc9611b700d0

SHA1
0f93d87998fc359001c4e3db446c25258595af7d

SHA256
765e787c5a7b868e0e39505fd2a93306046c81de0ba3ceaa3c51faa62df1b3fa

SHA512
a217290c0ba666875014e9078740b92ba5fcfa93d80880732e80a0644619d727cd32c9d29cc24e1129221d9177f572ebf68310b8769aba69506c1c216743b267

Download Submit
C:\Users\Admin\Documents\These.docx.f5mj
MD5
a6cbc4e9c5fc7bbd575b1b57c0c9ec30

SHA1
337985a29b92dd7233705688ac72c4feddbec9f0

SHA256
2deb15cbb9fb2770c18130b35a59815379bb61e249d8ec142c82ebdefcd576d8

SHA512
909103d43182dc5346b2baa40dd014b00137dbb8e69d90b85ccd6090a0e59ba03fa600293aec6ec666a109c3f4f9e4cd49b28ca5e992d7c6c18e66819d4c0b15

Download Submit
C:\Users\Admin\Documents\UnpublishProtect.xls.85bg
MD5
39b45f7a6319e15a68c662c858d8a2f3

SHA1
991e60d99e3af63d17f98fa5d613c1f054c07cb0

SHA256
862c74722775a5f099194b71b75ab30234985f4c66a8b3a45494acf32130d73e

SHA512
eb2f5b59825b915d4b22386455389b5b1f8124d93c8fee0d16a3a2c81bec9148f64b2e862ed108f6cb90f0de8d67028c05b319f0983d242070d3cf61e9447811

Download Submit
C:\Users\Admin\Documents\desktop.ini.o2pk
MD5
2c61eb49ff41a9a3cd7d4f0840c413c5

SHA1
d43c3e0081547f5f292f332ba68d1cc7dd235c5b

SHA256
b0c882dcb9cedb816ff8c1692a1d716c34f55a6b44f656f7f8f0d470d9688225

SHA512
53094153e1723ffdc251277a9363660e48665fb9061f6f7c65410627ef971ae9ab8fcb584ff15f6de2186ae5645b5200317193ea2806a0b866ffb82cdf671d6b

Download Submit
C:\Users\Admin\Documents\read_it.txt
MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
C:\Users\Admin\Downloads\ApproveStart.wma.lqm7
MD5
4e7d4a028dacb5d31128deb9aad98375

SHA1
928bdd530644a416f3a78806cb9773970b22e539

SHA256
018651ca4e1b023d23315029054b1096f9416262d770f41a92fd843f35447d3e

SHA512
044beffc8dbd3a853c8b64ec8d777d7d1c71c35b5526f7b7b929abac53c064842fbffda6a2d48ac4a088b8b0cf39e9b6711d30f01a929e31b1fda7962cef3b74

Download Submit
C:\Users\Admin\Downloads\CopyPush.html.00hd
MD5
87ad89c105a53f3372177717f0145292

SHA1
d7ea8e3e2585d6228c0206bcf3f98b00dc065e73

SHA256
8820eeb27a695e65979ed77d403e853f972e012b224a3a825d5b6527f546591e

SHA512
9eb1e93c214a4496844bf2de33ce6a584c17bbc81131ead2741a5d8823ecc908cbd4d6ac3737e479252d0ac7b306ec1907a60d8ab35b2fbd2b541f5cdbbb0dc7

Download Submit
C:\Users\Admin\Links\Desktop.lnk.6zu0
MD5
7e24be6da448a76ccb98154293082679

SHA1
78c2eb92e2391cc9ff2c5a27567876f80cd1ed90

SHA256
46dd9571147d64dadab1143786c681982d4dc527b90262b95fd7c5b30584a09f

SHA512
fe9ebaa8ee6409ba32d3016f8819d8f7e458133908b02e453416e218c8d4d2aa51d2b49b454e532b2e4b6d7bccd6f580bb505a92ce5d9face6dd9e5657722887

Download Submit
C:\Users\Admin\Links\Downloads.lnk.ud9q
MD5
95a72d3b037a0fe1ef9d1145862e1e07

SHA1
14f0d35a7b3727ca52d8852c6945495d6a2be9be

SHA256
174f47d95e702bcf1723f70e0f919cfc3fd9e878dba4484d47364e9cf9a030f8

SHA512
0313656a67eeaa27efb8f984d89dc0fd43f6c2a7b37190d9822ec581bfd451f7ed63ef7e07ad114926102b935fc46f5cf385e1c31935801e12f8ea5e1432604a

Download Submit
C:\Users\Admin\Links\desktop.ini.xr8r
MD5
c2b51b7225f0fa2d2c2a7a33fb5fab28

SHA1
737f06c08ee6ba80d546f2f45b8a2e3e44637509

SHA256
07c5118cbc37383e75248f63f9e1955c0c458bd9341c8e6f08fc51370a6d77f9

SHA512
1a2c2b1ba229c0861d65d4da07d193bd7988bafeeaf927c863a889db8c1bf05d4db32fb74858a35c644cf390ca25bee9e6cabb1ed8fc7ef941337b49e174378f

Download Submit
C:\Users\Admin\Links\read_it.txt
MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx1ftn2b\qx1ftn2b.0.cs
MD5
ba40fb4894bce0834d42fd754a90ef58

SHA1
a4245e8553219758a964800c2f156dc81d7d7b81

SHA256
77f4def79e1ee43b091b1df15dbbf032227415135e907f9a4cee93ccddbf696e

SHA512
febb3682c1a9a22fc2073cdd00bcf45871787ab08f9349452a0f5ef3137e5c17cb0565599732d25c09663772f82422f087b0ff5b580dca63fbe093e098a9d611

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx1ftn2b\qx1ftn2b.cmdline
MD5
913bd9bb9f62a9ed62a2e566282e862b

SHA1
6a872b2c31a5699e5b05395723baf2dcf71c923e

SHA256
ed09470ad18b857f619fb2abc4ad447b249f7e71c21ce551351bfdc84fb64096

SHA512
e04849eb2ce661b27a24e52e3291eb26df51c3b3e3f5e2bbc6827f72abd210be7129e135f3ec19859ae32af82629cf33149528ab80bfec9c9ea8f6f1b3877edb

Download Submit
\??\c:\Users\Admin\Desktop\CSC182DD043AD604E74BBA19C8E59C89B41.TMP
MD5
e435cda305139db4ae0dccd168dbeb72

SHA1
aeb4cfab2d00c026fa7e6c91b0c7f6809d315cce

SHA256
155b4ec940b44148f63ab5e76938986da34f2f113d5d888b0b2ca2d3c7ce1bdb

SHA512
b8bbe3feeeec54ea387dc9684ca97d5e0be21b4dbf5861b977d2d17538175670dc81fde4ba6be3d0e1871583c947b25f6bc03929594a493617e1159f98dd2c3e

Download Submit
memory/508-144-0x0000000000000000-mapping.dmp

Download
memory/740-118-0x000000001B524000-0x000000001B525000-memory.dmp

Filesize
4KB

Download
memory/740-119-0x000000001B525000-0x000000001B527000-memory.dmp

Filesize
8KB

Download
memory/740-116-0x000000001B520000-0x000000001B522000-memory.dmp

Filesize
8KB

Download
memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/740-117-0x000000001B522000-0x000000001B524000-memory.dmp

Filesize
8KB

Download
memory/820-128-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1124-139-0x0000000000000000-mapping.dmp

Download
memory/1316-138-0x0000000000000000-mapping.dmp

Download
memory/1708-123-0x0000000000000000-mapping.dmp

Download
memory/1820-140-0x0000000000000000-mapping.dmp

Download
memory/2156-155-0x000000001BC80000-0x000000001BC82000-memory.dmp

Filesize
8KB

Download
memory/2156-148-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/2184-142-0x0000000000000000-mapping.dmp

Download
memory/2824-141-0x0000000000000000-mapping.dmp

Download
memory/3268-120-0x0000000000000000-mapping.dmp

Download
memory/3460-136-0x0000000000000000-mapping.dmp

Download
memory/3652-143-0x0000000000000000-mapping.dmp

Download
memory/3672-137-0x0000000000000000-mapping.dmp

Download
memory/3716-130-0x0000000000000000-mapping.dmp

Download
memory/3716-135-0x000000001C302000-0x000000001C303000-memory.dmp

Filesize
4KB

Download