cryptolocker | hxxps://github[.]com/ytisf/theZoo/tree/master/malware/Binaries/Ransomware[.]Mamba

Analysis

max time kernel
542s
max time network
546s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2023 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ytisf/theZoo/tree/master/malware/Binaries/Ransomware.Mamba

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Executes dropped EXE 2 IoCs

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

pid process

4564 {34184A33-0407-212E-3320-09040709E2C2}.exe
4144 {34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
4564	{34184A33-0407-212E-3320-09040709E2C2}.exe
4144	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msinfo32.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsinfo32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133409960599054908"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exetaskmgr.exe

pid	process
4044	chrome.exe
4044	chrome.exe
1372	chrome.exe
1372	chrome.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exemsinfo32.exe

pid process

3728 taskmgr.exe
3080 msinfo32.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4044 chrome.exe
4044 chrome.exe
4044 chrome.exe
4044 chrome.exe

pid	process
3728	taskmgr.exe
3080	msinfo32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe
3728	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

131.exe131.exe

pid process

1320 131.exe
4532 131.exe

pid	process
1320	131.exe
4532	131.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4044 wrote to memory of 4956	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 4956	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 1212	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 2988	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 2988	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe
PID 4044 wrote to memory of 3680	4044	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ytisf/theZoo/tree/master/malware/Binaries/Ransomware.Mamba
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffea659758,0x7fffea659768,0x7fffea659778
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:8
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:8
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:2
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:1
2⤵
PID:824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:1
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:8
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:8
2⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:8
2⤵
PID:984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:8
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3928 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:1
2⤵
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4816 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:1
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5496 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5572 --field-trial-handle=1868,i,15967840738064407207,2244199673437616492,131072 /prefetch:8
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3136

C:\Users\Admin\Desktop\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
"C:\Users\Admin\Desktop\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
1⤵
PID:4524

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Desktop\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4564

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000228
3⤵
- Executes dropped EXE
PID:4144

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4252

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3728

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\UnlockFormat.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffea659758,0x7fffea659768,0x7fffea659778
2⤵
PID:2608

C:\Users\Admin\Desktop\131.exe
"C:\Users\Admin\Desktop\131.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Users\Admin\Desktop\131.exe
"C:\Users\Admin\Desktop\131.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ab7ffcaf226e7d70882def5b77378cb2

SHA1
0cad519a08ba456fe22905c6602de5c53ef70209

SHA256
05c8d77e32207e862f0460d0daa1ed41869cc523fc0ea5b7f3ef1627a6a2138a

SHA512
c9f99029bef743dc484afa276afb4ba9121bc19514600948bab901ea8da07273225f7ae5619935c16e9c08125b8ed6d15691977856a299f17a29b9478a9d05f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ab7ffcaf226e7d70882def5b77378cb2

SHA1
0cad519a08ba456fe22905c6602de5c53ef70209

SHA256
05c8d77e32207e862f0460d0daa1ed41869cc523fc0ea5b7f3ef1627a6a2138a

SHA512
c9f99029bef743dc484afa276afb4ba9121bc19514600948bab901ea8da07273225f7ae5619935c16e9c08125b8ed6d15691977856a299f17a29b9478a9d05f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ab7ffcaf226e7d70882def5b77378cb2

SHA1
0cad519a08ba456fe22905c6602de5c53ef70209

SHA256
05c8d77e32207e862f0460d0daa1ed41869cc523fc0ea5b7f3ef1627a6a2138a

SHA512
c9f99029bef743dc484afa276afb4ba9121bc19514600948bab901ea8da07273225f7ae5619935c16e9c08125b8ed6d15691977856a299f17a29b9478a9d05f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
8fb67dd4221026cbe5335ca308514ca1

SHA1
0a4d318fbcbcd8e18768a9bcad8545e314957794

SHA256
0996496d32867d9deb5a27b1d22ab3a03eaba550d9a19d7b4957a177870c7bf3

SHA512
d694bea45e80e17ef9ab309b9daf09173ad82d70a81c380d67f96e3750dbd6da4479fbcc1902a5b9f252269e0d9df9a36c8c7a2f25e59c8e82b7cacc76f0a57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
4a8a25d415f4db88baa8807ba773dace

SHA1
3fd4f0d733c59de0e161a6e41604dd062da0b8f2

SHA256
92ee620ee7aa86a010e61a5be8b409445b06befca5481a5df6a4ac70eb86e771

SHA512
1dd53b421326283de6aece99ca6bdaa5d829cc432ceb51923c58f499c3b1f23be145e097496075e8252d4ed60a1abdbf26191004b077804a28a462346bbc8b28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
9b226c1fb7da3b10715a4ba00067a9b9

SHA1
51542c62f144d84177e8d7baeacb43fc7e40902a

SHA256
ed747476c44b45507770d42fca7c014a493d06c86d176989b95a1799e5b6c1a7

SHA512
4cc7f8742e75a3e40f7d61b4feb38642b7e3b9e55c5c4859bdd19e65895b7cbad3fcb37123506d963c3b3a7d9f7ea0cd75307d0f2fe685d677e036f655640519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
58a4b642986a9892a3a2f2693a59b2e2

SHA1
0326e6b79eea57fb87031170ad919fe08a6f5918

SHA256
bff38b7fa4ff7d9f3953fe7266431bcfead889c2e5758d63ed33ad36c997eb07

SHA512
1b7b48d3d6f7070e359a7ba9713a128245441a079a1d368367721229826a5f5ffa58cc8da947f9f095e349b0edc9a25748b54c44f8c5ae1bcccbec0d55723273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0a2afbc435116edec0236daed0baa5d3

SHA1
1e8906e3ba996dc06459bdb0e3258bbbbf331341

SHA256
134ce64994b98368dfbd171ac9e8faf4ae9a8ea4c7aabaf93a8126cc6f46e074

SHA512
43f7ecf0deb1b4142bab79175f2c1ac28dfef03aebf25c493b76dc86ff08d9f46f4b299c667b7f8f7b325667f98098a0e0b76294d7310e4a97c7ddf9bd999952

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
171cbbac6bbfdd2274ed2c151a875704

SHA1
a359819cecedec0ad28b2d83582c0441038b5f47

SHA256
ad973b649ba9e10fff6253f97b8d0ee800b81208058c6c5acb09f7f99479612e

SHA512
3e9e4850b80fb39cbd557c9e49fdf48c29828b5a1aba206d4d37e7d3320d25e3a10b5fc9143ec846601a5234e767ff2da16a17dcb3cd5e30d32d27511253205f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
bbe643d652917f7bf10d3f2f8fd7b2c4

SHA1
38ba60ba72aad4868a9c784cd680801e27bccbd2

SHA256
e5e73acd08e486cdbd64dc13c4f20bde1c40222c3b75a2f79b3ee692bb4d48f0

SHA512
cd2d577729f61782bf17fb1d12192c0b2fe281e7ce6bac75bec33903639c936497425871cb166772544250b745b376eae6704804a9e47804e13599d64c0cb148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
23963ef7b5f9112a29523e31025ad7de

SHA1
98baa32f4513cd52990450b1183efa33272829a0

SHA256
f404a303f0afd9b5e8d24b75f2af684b81d1bbd3ae80c543e808873fc3ce12ae

SHA512
d614329c4f5f78845b59e3aef23c798e8c4563fb73f1e865e5fa0f23c5c4c765d68f8826b3c3c268a32527d2ed8cee5b5fc3e2d675277a9c98811f5f7ae59eab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9c1825f3ab624418aa1bec21bca7877f

SHA1
ee8d064e0355752d548739b90cc3a3ce5ab91d1d

SHA256
88300311168a5f1c27182fc1b14cc8a6274473d5e948e1b3b23bd012da237de5

SHA512
74245b33f2da720cddfc6ebc642f80aa92d83b7f8a5615dce9c4c06e3a45ab4acdb7645106a194d1c3889a78538f449293dc467a3a0808a1fc14f59642caed43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0f1cd5558d0aec3a04b3cc7c3e27aaa4

SHA1
8ba3102b68376e4d3f9f1788d08c265f75aa9251

SHA256
ceef4b6d5f7b21c545bd7edd4c78f4bd1a07d6666992a3cde919e52a02d78192

SHA512
4a8bd2c80a526a5fecbea16b3d9815dd1aa08983bf863c595017d078c7ca97e993aeb250c13dd3cfb73edfd3714789ae8db5b8c4c2b7a13d8cbf670f081ea90e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a588aa8c5f35550ef854f4d69fdfa90c

SHA1
c27906ba4d3ae81559b98fec1c28a0b971152a02

SHA256
6f7a29a03a193adee50a086ea5d295977e2306514b42159db4ab144c619b182d

SHA512
7539e560fd7fb69eac32a74f138f6e6070c508e3f933a5d2a7f6f1ee24ca010b65a69b564ee034d601db3e251dfe89cfc4d325727c16bfe5a61bcfe46b7ececb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a384b624e4c1b4c3bfb24ec03778a4e5

SHA1
3bb537c8dae39584847f9140243ccfddfe132795

SHA256
a0ccb369203a11ba92395a28016817bf8588ec8b8b072d7c33ad9dfb48fb7d14

SHA512
5a6662054b5233db5777490a51443b0405cfcac4b53923cbfc6bb2203dae9375444839612542e56f7f4e52d8cc6622837ea40a9e2feddb12db2cd5537e34cee2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f905d18dc0e911936893ec2f2a4e40dd

SHA1
810cfeeed09e1a3a02bbe893af37b4fbe0bb7815

SHA256
fc9165d59c254aeccfbc1a6b8c8ab1787402a419b416c12a7f21a3368959832d

SHA512
881b3d2c1bc123d14d505be109244361e3e35407b3f1c9a3223bd7c9725005722784a46f6efb6bae930d7ecdeb634cef961b9ad0aaf22557d3a4794f512d126f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
eab0874bdcf067ac4a33c4f4beda4c70

SHA1
5253da1ff20bce1c031a1bf41bafc84ed35db206

SHA256
2caa7c7207f43c361dd7982280b53e5ebd40d67bb9f484e7b9447d04b0e4c50d

SHA512
292bc6961b4449d39a5c17bc20f3696e69212584ac63a21e08a55603da2457ff774065843938a0d59cda7d8830d9d96de93ee7cdf6a124bdd07bf2c36f20af7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b14991008071642a08384b5a2698b1e5

SHA1
dc089db4dcb9042098aaf8ef9c21262ffe4839e6

SHA256
003b5f26ed84b722b8c41d29eaba20b211bdc9cc1e0a6fda8676f5770665fdf0

SHA512
7d86aeccbb88c91b420b95067ff831f439940fe446dd92b2cd675a069b07f5919ce1feb108622536f063d1f6e98dfa1798bd461a3355a9a36adcfacd26c6bb84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
af92f9d77608517a48acac2c7c586919

SHA1
b6e72d0919a8a1a52d507b91950acce099107358

SHA256
2678370b038f8d3073331b004e016ffa1be9acdf090cbdf6ad47e09e5aa94510

SHA512
d54839a4a5398b44ce29a9320b2e49677d4225e6b939629789cc5b0f976248d3322e05aed60d23e5fdac6efe64bc6a360a67453b35943cadca0ce638b3c4f773

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
23d96d67ff5f0e49105c8d2464017e13

SHA1
e42758ae1fe4cbcf8bc5ddc98249d6a065e57555

SHA256
fba08e2f8abfbfc35652c1d6fed89e7363092b25184741eeb5f92865b13befbd

SHA512
ec3af58bb125d06287877f1c345114441079c037b56a99890a799579fdb15469539870e30d41c2c168378951636132e13e9b094cdd77da33fab314d73a40b467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3d1790a0c639b1ef2d2ab600e8c0a009

SHA1
cb9ab44ee389d2d0b15bc4b805b432cf23f0ec20

SHA256
f1df078b601e5b0abfbafdb6a4d051a65bf4f7e6a770eb01079489ddb1086c98

SHA512
bf19737e2d7a025c1ed6f1e05d2a773b2c178eaa8627adeac37c4a4695c17becc7be2d568eb4c7a4519303b8f3682a4b10856f836a8d98d9ff6ce1993c9b8b48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4457030d5fe9997556797e5224fb6b86

SHA1
be95248d4b7464929e254ac27afe99ff142162b1

SHA256
2b5414511fd6ca6f81708ac586e037e46e78c1405537193b1a6a30c624ffb984

SHA512
091d89b14c003e597a25ea9cfc59e61e3c79cbde86b5c04b4bbb01d80fb57485da7c00c0befeab3404c8eed305d35fcead98e57be730c5f8bc071db0ff9c0bbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d6d931504b71fb56db92664c888ffbd6

SHA1
9ca521f1cdb9b12c29183de082a8f3c696a24f5f

SHA256
387cf8e4cc5929ea6d36c66f13a4d0fbc32df124afe6e82878fb66242ca24129

SHA512
4c8e24ab7e856e54297556095ce4af69e65666e79e526be1a3ed96b71874468c27b134fbb3e18c8ce74f546f4df027b6965394630e6371348f18020fe3411f99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8404a09f6e40157df8bde2e44a39e59c

SHA1
8059bbef5bb615b6009ee8e80ab7c871e222fa26

SHA256
c4572671ed26917424b996c5559bc4af4245e2fa188dc381cdd0b908e09bd103

SHA512
616eccde4f232e6c3ca82a84637f6b95d2bb6df8951e60fa4b739c7e8a71ff3e0a1edbc0912c1230e568d41f0b960b83dfd5fd5d50fa2d60d4cf79267e1155fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
342dfeff12acde8314d4cb7bb3ef0a74

SHA1
f87275abe36343bd8ebff2b3d151f004bab1b6cf

SHA256
9bc387556ebd95c0b05d1f875f1ed75e7abd2dc87f2b8c599f66d9922ec2e1d9

SHA512
abe6e738909d593c489d8efe08bd0b4da33f45869d647148b40ad902910f356db1dbdd57728aca8b8e7a20f13c9ad8bd138994b517cf2dee3aef1edd814dbcd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
74f34ad71125b9075a2fec17f0e16abd

SHA1
2b86592e783af99730029ce7dfaca7acbdf6bb0e

SHA256
68d5373973ca05d557925948132fe591439ecfeb519a8687bdeed5625712c935

SHA512
98b8feb15ff0beb08d583e9f7f08ea351a82a3b16ac991b4b4a3d31168142c113a2805e7923c8f2643b93cf628c38b560fe2a272a90ba45b560a233ba929436d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
101KB

MD5
a9557e4c44c455d1c9e2c43fb2b844b3

SHA1
f4b0e57306fdcb925fa28a5ed0f6d4598bb26398

SHA256
609b6edcb4ba8057cfd9df419431ef7ea9c24dbae342cc7ebb22a68a6e6e841b

SHA512
aa1cd3c2c698b21cd45d1544d47164c7825521d2f9129a9893eba6323de10fcfb379a827d41d699480c7522319fefbbfee368892bb2edd46f6ed89ab9befaaab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
101KB

MD5
ce6265bcd9b134036ec987c3953bdd55

SHA1
cc0d5f491abcf72467bd316947584f6565311ca0

SHA256
f2a3d15e8a49bfb83801b405c9b2d1ee0e153f024d78eaf4a34d10133c1b8a3c

SHA512
3d7c32fa53f9347f6dbf443315fe74493f95602b7152fdfd3bf11530a282b4cccee2e02e098b3ee4a42dede90ed41b98f718a78fc56dbdc2ebe805b2e5d31c81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\CryptoLocker_10Sep2013.zip
Filesize
282KB

MD5
22078ff56e3fcd674ec4b9322a7dee5b

SHA1
3a5d07577b40e85047dcfb0bd03a6fc23e7cc671

SHA256
ddb9b850fa0eee2f62463728b07bffc11eaa9b241d215029eaddf1de4ec54936

SHA512
6e1f260057ba8f8eb4568fac513f0b49094ae387d9a555c2600a75df00d1c091506e77dab58f36908b1c0cbfebb1d82984f915741c1a8b790f5f6c82f64add5e

Download Submit
C:\Users\Admin\Downloads\Ransomware.Mamba.zip.crdownload
Filesize
1.0MB

MD5
f94d1f4e2ce6c7cc81961361aab8a144

SHA1
88189db0691667653fe1522c6b5673bf75aa44aa

SHA256
610a52c340ebaff31093c5ef0d76032ac2acdc81a3431e68b244bf42905fd70a

SHA512
7b7cf9a782549e75f87b8c62d091369b47c1b22c9a10dcf4a5d9f2db9a879ed3969316292d3944f95aeb67f34ae6dc6bbe2ae5ca497be3a25741a2aa204e66ad

Download Submit
C:\Users\Admin\Downloads\Ransomware.Satana.zip
Filesize
57KB

MD5
82f621944ee2639817400befabedffcf

SHA1
c183ae5ab43b9b3d3fabdb29859876c507a8d273

SHA256
4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f

SHA512
7a2257af32b265596e9f864767f2b86fb439b846f7bffa4b9f477f2e54bc3ff2bb56a39db88b72a0112972959570afc697c3202839a836a6d10409a10985031b

Download Submit
\??\pipe\crashpad_4044_FHIIBDHVAIDAOOAJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3728-331-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download
memory/3728-336-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download
memory/3728-335-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download
memory/3728-334-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download
memory/3728-333-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download
memory/3728-332-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download
memory/3728-330-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download
memory/3728-326-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download
memory/3728-325-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download
memory/3728-324-0x000002468B5B0000-0x000002468B5B1000-memory.dmp

Filesize
4KB

Download