chaos | hxxps://github[.]com/im-Satyendra/Ransomware-builder

Analysis

max time kernel
264s
max time network
270s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
11-02-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/im-Satyendra/Ransomware-builder

Score

10^/10

chaos persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\read_it.txt

Ransom Note

Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Emails

[email protected]

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 5 IoCs

resource	yara_rule
behavioral1/files/0x000400000002a804-197.dat	family_chaos
behavioral1/memory/6000-217-0x0000000000730000-0x00000000007E0000-memory.dmp	family_chaos
behavioral1/files/0x000100000002a876-279.dat	family_chaos
behavioral1/memory/2424-1106-0x0000000000240000-0x000000000024E000-memory.dmp	family_chaos
behavioral1/files/0x0004000000025011-1111.dat	family_chaos

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 11 IoCs

pid	Process
6000	BloodEagle Ransomware Builder.exe
4764	AnyDesk.exe
6120	AnyDesk.exe
5044	AnyDesk.exe
5064	AnyDesk.exe
1920	AnyDesk.exe
3372	AnyDesk.exe
2424	crypt.exe
1656	svchost.exe
3092	Decrypter.exe
1460	BloodEagle Ransomware Builder.exe

Loads dropped DLL 4 IoCs

pid	Process
5044	AnyDesk.exe
6120	AnyDesk.exe
3372	AnyDesk.exe
1920	AnyDesk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2201820139-2432375203-2549035866-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
21	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133521255499213276"	chrome.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	BloodEagle Ransomware Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	BloodEagle Ransomware Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	BloodEagle Ransomware Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	BloodEagle Ransomware Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	BloodEagle Ransomware Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	BloodEagle Ransomware Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings	BloodEagle Ransomware Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	BloodEagle Ransomware Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	BloodEagle Ransomware Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	BloodEagle Ransomware Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	BloodEagle Ransomware Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	BloodEagle Ransomware Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	BloodEagle Ransomware Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	BloodEagle Ransomware Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	BloodEagle Ransomware Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	BloodEagle Ransomware Builder.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5500	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe
6120	AnyDesk.exe
6120	AnyDesk.exe
4844	chrome.exe
4844	chrome.exe
4764	AnyDesk.exe
4764	AnyDesk.exe
5044	AnyDesk.exe
5044	AnyDesk.exe
1920	AnyDesk.exe
1920	AnyDesk.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
2424	crypt.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1460	BloodEagle Ransomware Builder.exe
1460	BloodEagle Ransomware Builder.exe
1460	BloodEagle Ransomware Builder.exe
1460	BloodEagle Ransomware Builder.exe
1460	BloodEagle Ransomware Builder.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeDebugPrivilege	6000	BloodEagle Ransomware Builder.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
5044	AnyDesk.exe
5044	AnyDesk.exe
5044	AnyDesk.exe
5044	AnyDesk.exe
5044	AnyDesk.exe
3372	AnyDesk.exe
3372	AnyDesk.exe
3372	AnyDesk.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
5044	AnyDesk.exe
5044	AnyDesk.exe
5044	AnyDesk.exe
5044	AnyDesk.exe
5044	AnyDesk.exe
3372	AnyDesk.exe
3372	AnyDesk.exe
3372	AnyDesk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6000	BloodEagle Ransomware Builder.exe
6000	BloodEagle Ransomware Builder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 4284	3308	chrome.exe	76
PID 3308 wrote to memory of 4284	3308	chrome.exe	76
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 4448	3308	chrome.exe	80
PID 3308 wrote to memory of 2468	3308	chrome.exe	78
PID 3308 wrote to memory of 2468	3308	chrome.exe	78
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79
PID 3308 wrote to memory of 5892	3308	chrome.exe	79

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/im-Satyendra/Ransomware-builder
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad4da9758,0x7ffad4da9768,0x7ffad4da9778
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:2
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5088 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4780 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4580 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:3636
- C:\Users\Admin\Downloads\BloodEagle Ransomware Builder.exe
  "C:\Users\Admin\Downloads\BloodEagle Ransomware Builder.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6000
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0kxt2lg\o0kxt2lg.cmdline"
    3⤵
    PID:2484
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD52.tmp" "c:\Users\Admin\Downloads\CSCE21CD1969ADB4BEE86E05F362EA855F.TMP"
      4⤵
      PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3888 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4736 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5624 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5256 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5992 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5968 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:6076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:8
  2⤵
  PID:944
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5044
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3132 --field-trial-handle=1664,i,15748686833646629206,2082725039581812952,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B4
1⤵
PID:4524

C:\Users\Admin\Downloads\AnyDesk.exe
"C:\Users\Admin\Downloads\AnyDesk.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5064
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3372
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1920

C:\Users\Admin\Downloads\crypt.exe
"C:\Users\Admin\Downloads\crypt.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2424
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5500

C:\Users\Admin\Downloads\decrypt-decrypter\Decrypter.exe
"C:\Users\Admin\Downloads\decrypt-decrypter\Decrypter.exe"
1⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\Downloads\BloodEagle Ransomware Builder.exe
"C:\Users\Admin\Downloads\BloodEagle Ransomware Builder.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
954f6151986bd40e69e9c3146403aca8

SHA1
cf5f7433479abc0a2216a8fb42ea383d6cc2e751

SHA256
457511af1ecd61e2295868b14ac818733a9f4ca72610ff98cec0b34dd1ac1353

SHA512
84433dc178cfd577000de08021304c9fb6d085260df8b1139743444f3bd6af98f3af0d9be32cc6749e595845d774880a9d3f3e79cbcb98f2f74caa1295870b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
194KB

MD5
36104d04a9994182ba78be74c7ac3b0e

SHA1
0c049d44cd22468abb1d0711ec844e68297a7b3d

SHA256
ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

SHA512
8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0d998176c6823294c548be4631ec5f41

SHA1
1ae3ef572c494c07bce06b87066aa79d5b9a75cb

SHA256
76efc50523c4f162ce15cbcc23f57da20696619fc5a21970d6abfe92efacdd3f

SHA512
2a7cdb391881f5b1e7d94c853890153f0f4173110f7e495e8d3927380a5de49987cbf95df86b480a68f31ee2868288f3de989f64972f479d9c6beb38dd3d4d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7b9b77544afbcf878780321cac7e95a9

SHA1
77231a30ec1fe2c3477b8b92723d348cac76d517

SHA256
8fa2f6d046d31c14b53c8386b55a7f3fe5c9bde0de98ecbdc76cd7b94b88cde5

SHA512
d1be691326438ddeed7a02a3b1faec5418e3c0ab8b12e7de08f8aca2e1540fd37ec45b0b0fac40f4d7299d21b6098344dd4df685c13091d41c301178c553a9b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\3a0f4f0f-2eb6-4568-a727-c1c8dc0a4458.tmp

Filesize
1KB

MD5
ae8c123b709589370097d43cac4f3640

SHA1
587b518fb3559a72d1c976abe6b49971f8804d70

SHA256
538ad1aac2a63e0e2946f1c82d0761a2a49375d5e5d53abe8143706a5188fd7e

SHA512
55629fd65ea7d9f66addbb83abf1dc023bb7589030027ef5ceebf2a8103c747b1ad4a9cb2690b06c43491daa9a0f6207d72c478ee1af6b17653b7cdafed4cc67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a0268b0f42578a940294d5665ad16f17

SHA1
65a34b222630936e3753045a330b41ee7c275f4e

SHA256
87812f84039c68af7ee181cfb6238004b7b457242fa9eeb9bb0faf3973bd4e2d

SHA512
a8e18eefcdfb9f4fab95317dfeb111f158fa7fb33f388e561eaf23bc7c22f192ac213fdcc47d54ebc28c3da787ae97e887e5f3d8fbf33366d42d9ad73ba422d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
59b156771af56c02eb4005c97c167d71

SHA1
b143fe00d204d5bae137ac84064ed59a938a128c

SHA256
c29be1017e1c103ff36d316257b09191eeda78bf836e328bd37634808d87a095

SHA512
055f28fd45fdbe75de883bb6331ed3fae6d5f9789b01b883e8365b4e00e5b42e2105bb48c73b366e71fad5eeed2b923a483491568f2e1f8882bcd36947f0510a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
7c14d5c7053847383ad4cc101ce00b62

SHA1
b89b05876e347db7d0735d07c6d9898e4392d5b0

SHA256
1bf3ba61d33953ef83949d7c7147093fde49d18d92a798e6c47a52ccbc2d7c81

SHA512
f7afabde9462f74b3b93439d4776421eaa36bd25312647a29b80e3cc9b3eb3fee8bdb2b20765ede78479d279c89011702fbc177f350413b0e596aa6322602e40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ea4acb0744cd5d957e99ab42f1104aeb

SHA1
84f2e8e881acd25de1fd357a812513ecf432ce21

SHA256
f9966921fc33e9d424b78c4a41cdc3de818534905ec35432cc25d70953f37dec

SHA512
aee2cfcf50cba71bc5c38981f44145de8cabdce9af13142c19f4bf8b905c513a605207d3573891991b6dc26278bde9d2454ec6034309212b9024296c5455aa4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7994f080e22ff3afa59ac830435ebdc2

SHA1
3581e2484d9f6ffdfb7b89fba14cfe6085da2fff

SHA256
be2690710ea6e835b917919e01ef8af08c3d20958c462f814c227b8709d6c0c1

SHA512
28c4b673e22e64d0662fdb9d96bba1af6bc884806df8a3b0cfd8080d2274dab40fef97b5deca9dc2394a8094aa886357f5c8063487d6578cc4863fbc2f8efcbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f949a9b610420bec478ee4d27eb15628

SHA1
a3c869eb702e43557bbca3635a84ebd650341970

SHA256
6b5e0cb07c9f4972d30d679d6424595a18b827978a2df30093c7d30d6e2426c8

SHA512
a0c016792c37c8128490205e5776fbf8f3c6456a58b767c6e8b531bac2b75d0ca3d1740602770d776025fc1a784adc8855086df9809cb07b893d39e2c963abd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
40477c7e66a9427054068c8af33126ac

SHA1
d23020e5ffa713f585f5ac6f9b1f00a00827035c

SHA256
4b4cb4a5d2a5f8c9b04295312261790bdd7ebd20cc65b3d9236bed83009de0b8

SHA512
5ec25fa2b3c2f281a53db16c029f30dec4eeadaf3d45da2166fe8cbdbae4bdf20629932b886478cfc4ac5ade01e8c2f3546d5df9889fb4297519f31a9295f114

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7ce23e8f7f1699c2ca7b81579425086b

SHA1
6dafa01f594d8cf714e70767d17d1f38f9226548

SHA256
6a889efb6acdadbafd49ae5cfcb702185371a538b7da8b0e99980c61b08f6d11

SHA512
07c4856fe8dc576b5c0f414628c8d4256c7b238ac6a6dc17f609d0d0c252b0c63b06686305dbf5770a2ff2322960e5b8d8afc8b534bec16d8543055bb67ef624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6ca547c1af5e26996ac9263f0112b806

SHA1
63cd90136fdadfc6d8d431462961f0b9c18812f1

SHA256
e4f8bb481496b66994a3a9f1ea049edd322ad3339e5f8b47a05d7b368811be8d

SHA512
e91f7a0e27dae44612847b0200df5fa12ecdb3e60ae410231a7386b496da30153f67b598f927a23c12ba5acfaf848a40433f1c97868ce60aeeaa0829ef8ba877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
feb564c8f423b800d44956716613abd8

SHA1
b498e43bdad11491db10e8ddab3dfc836270bb79

SHA256
f7fca4ec391b2d524465a0d3b66e064f4d3a81b5899268b1b94af64b08eba943

SHA512
550da5ee1013862103d96413cde8f045e7da46dac56ac2c46b04996ca07bb5274d9f0480b2fed637fe4108ac8b995c2376c5245ca775035bead1ee55acf50640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1472c727ac020fa1ba951df8e30a887e

SHA1
8dbecf2f041a0473919baa658e72616bbbe66bdb

SHA256
bf2ebb43f060e49adc264f32fa3b61c578c6bf370c2c266ebe76033d54c178d4

SHA512
b0edaae64d259c8890be44ab039360088034cf9e7853157e2d0d1957e138498f2e3f2929a5af27592971d97f22663d1773fc8f296d1402304a4f32c040fe6ee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
03d9daea1c85ecbd8e72c30cfd7cecc4

SHA1
d816b0f5abe24cf758a6933917c7f733e4c10fcc

SHA256
844da2bd21626d0cd7e1e4771bafb4fa6ee52e2ea12f1ad76540e7241438b4c1

SHA512
ae5cda7e925beaa217e037c186fdf35903d64ad3a870171b04b174227e5ab73afaef1c804694ae8985da0bddc9c72a9516831efe96c65d572aa0bebf90ec3f73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ddc7411976afe5d16188fe50417f6a69

SHA1
96b8bc738d658c5ce9b723170de0a868d287861e

SHA256
dd7d4e1029b94ad01727fba6c0f8967494c7b5347535b64a7def44c910fbcd8d

SHA512
0238544c6b30932f9f700d998e33a9e26125d23cf285512317d9a41879ff93ff9af70326592f1f308993dceab5ab98de21c4862fc01262408e65c421246ef94a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt

Filesize
105B

MD5
82adb03f16d4661a21ccf460ba310fee

SHA1
692c71cef6ccec0bbbcdae0eb984db9f9be0a7b1

SHA256
96e441321a2c579aa304047d36f54b3c817c2b21cfb444b390b567d739142d57

SHA512
e9006b52fd627aae7074763853c0fc53ee60cd28198cf6b0aa622677d31bf3a8869f07e47125e6058b343e518bc04d2bbc69abba0f49f684f51f5a06d42b681d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt~RFe5954bd.TMP

Filesize
112B

MD5
39f4d1f2835ec36606dfab33af41e412

SHA1
b1711343fce44136697dee5dc5327d1019011143

SHA256
b9c260c9ca8d8f0a8ed1e153fa3668c5823ff05641bc6666aee474c1d099edd3

SHA512
67429a82d4a671711cb7d06fa7c11a22262662b82b527ad5ba19b84cd9ff4a4f11b9162b85ec342b4d40950481151770b3e7b3b6eb6e18eda6b6a88743592fa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
87876632fdf48267cba88da8cb77f0e9

SHA1
03229282677c0707422159de292635929230ae54

SHA256
ebde6332d88225aaf5103ff969ee81a85756bcb18b3f611687bf27e3bb2de32e

SHA512
3bdb33130c6f9e9e0c73cd66c0c14829925d13e75c8592c3e0c4d3c180f4881cbd562d0bdb8c5ea2e36715bbd7ace6038aab7cbd753724a522c8751dc49a6c31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
923c1b625719b866bc0ff7a37c5f57c3

SHA1
94547d9a173393e98d20d743a7d660c2c9d4715c

SHA256
9d8524b18c4fbb99e507eb441c048916f919002c980b90f0c497897d44f9f529

SHA512
c8ea97e7c3483a2d16a825cc6b1db9d45af65e7d713a7926e8bd48494392245e59efe4ab90a4cd765f771f2f24af6ea1f6664bc4fef85f2bc56383ef1f1f96fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe591f46.TMP

Filesize
100KB

MD5
aa77f99c07eecd178c4312f65629d9b1

SHA1
6b1bef1f48fa990ef10dd851a7678e0ed73e6740

SHA256
98d945308f7c43168e5e23dfc1b5fa18df80a7fdf1b71cb717af73db9d221620

SHA512
f07ab13f5ec99cd95a85f1eb34917ce5ebf9314dd6aad53d86af0e2d83356c9476e75ff9e78e9df76b8d8f0270ddc6f7b173f7b98a949099cfb03dd9f9187b0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAD52.tmp

Filesize
1KB

MD5
c5bc207e810558ef7171eb2b71e2e5d5

SHA1
cdc60166e7a3e02509fd1b93d4ce96f00f5dac6e

SHA256
694b0f2be2ff9ee72ea0d7157b8b1d16ddb60d1eedb2d46806991bd66796cbfe

SHA512
95b1de613c2b5e2be316e4b90f004a4366c8a6bf176a5c6dde380a443c91e4ab8a15f9d969b27fa22473b66a151b19c6a3d3d45746ced710ba5b2bf3f889c8c3

Download Submit
C:\Users\Admin\AppData\Local\read_it.txt

Filesize
595B

MD5
7cff3b94ef1413349cdf9d4742f9cd77

SHA1
0569d834acc4a41e0b47bc1d03dcf27430106096

SHA256
bb6cdcdbb8d8b17243cce8bc7c9d7eee1872b63313640e5d63c63619712ddd8d

SHA512
1425864a3944742df1f4f849455c3224e2ee281b4c19dbc46af180efaaa1fb35dc14ef047faa02ba92e3d8b5a33ad60cc65c7b4ea9e1182a5b91d01e9edd2873

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
0e7aadfc39cef812b3dbe5cbfc359dea

SHA1
e3600e3e686970fbde861e096bde459039c2b10c

SHA256
1b6e63daf6e5506fa5d5545acd71c526e4da6e4767b9c38a2d5de2c02da2b23d

SHA512
232c7b0f6bc843e9f87089ce079ac3840c1e6f6ffc045726e9f27a352b03a2a875798faccdc134f4d5ed3a012ce459f66a44431e7c1a5394d08b718094e6feb9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
16963e57d727c92d722ed1ecbd4de72e

SHA1
301f50d80c390f6abbc178fb16484ad36b0c6c0d

SHA256
ac44609d5c3c2a20b08677086e8d79612498a9a492930fcebbc6489bfd455725

SHA512
119697a65a41decb7af539b96182d06bc9ed8e197d18940d24bd8ba134dcae97991632b5df26bba430b93ab7007019ead3af40fb9138e9fb54b39165cb9aed54

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bc6227282ca559683fb06add3a24480b

SHA1
3da4042652dab0457825a2fb94ccfb5266ae224c

SHA256
c8e7bd6f056e9045639290b6c9b78f08811e905f9a64a4303ee97a7dca959b15

SHA512
8bdca4fe1eab187fea1ba3f4ace7487ed05df647db958558e4f3f03b4575d0b4ed9a5379469a7796ffe8c9b1b9846481d7f044ab9d7f2df2a69887a937441ca3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
863B

MD5
c9e998a866840a49f108df8034a29fc2

SHA1
6a6b9ba020d792de1a17ccbb24a4a59fb7380119

SHA256
7107232770e502a3934047aa5f2c2d657f203066c114b9c3d5fbbb79ce40b7dd

SHA512
25636ed211fb1775ecb25b4544fd792136187fe6b4a0a86507b225f513b29cbb776f95d0a708d6f645f37efceeb930c4a8f00a24eae26d18ca9ef5850e6e0a90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
863B

MD5
6962b27e31f5311832d7e90fffd0cb41

SHA1
ffa224d2f0138d6659f5b5daf60e004d72941873

SHA256
f69c67e419e3f6e7742e251591679e56e13bee9905a0a6114dea5d7136e03e62

SHA512
f5a9599f8a396e39f9544fdfb3669c0d8e0cbba9e5ac51e7d6a01a2fa815dc8eb4d8d1455ba6f89955722d682eeb5a71159cdf8c5ec3624b1d09d79988d55759

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2b8ac216006d738617eed7feb4969f2a

SHA1
04b7d284090fe455c0253900a846a055ac80419f

SHA256
ddb4a6093e6630ebb794d0df0a622ead83fa7c16cbdf319e28ed6c67d4c16566

SHA512
6faff6ffd54fdd93426ff0bbd8fdba61ca32f77490699d557e8ea107cf7b4aed9ce8ec41c5713f3109606ca1715e3ee2c5e619fbc3f627b8a9c9a19a783e1514

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
1858f47467e18aab8e4f6709a048c809

SHA1
b904bea67b09d1dd84e90b39d65d22c7d52044a5

SHA256
f30394d029a1fbc8e6c0a08e1281cc24879851a5683dd23e00d4f08dc45f0829

SHA512
4f62c62f966b273a392d9f0b81810b9587cc3c34d4ecb9042c1713b794bcaa572d452f518da8de37148048694b8bd69592d46ee5af960b2d0f1ad9d20a95e38f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
4ecc4747bdf34ef2fc6d6f2597f70463

SHA1
b666ec8984abfaedb4a9d3c6f7cb01bf14609e92

SHA256
126c146d99cc9f0ac9ee2e2676f296c9325cf47cc0e052b6f4f9983267121d4e

SHA512
ac2146cedd67604a7a23b7a647b6e28b5d9f46d86a0093466eec59f7a67885050e9a21b0cb56e001fb918b5e85a8b670d88d54bec3c6cb13f3012db2f1759606

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
bd2e8d6d1178d82080be1a4371037298

SHA1
9a6121d07657f15f80c97d5c0bd40d2651b22e9b

SHA256
8500263029c5ce966a36389f4f7ff9bf8526a744b7aa2a69a946cabb28b14c05

SHA512
fe6ccc2dcc3ad5a52ae6c9c0916cd05a0bbc5d2fa75f43f3304b4fe890e9bb0d7a46e9c77066cb427d6a02b64a0044a6dd04f949b40f90d7cfa66269411f7347

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e4a5e1e9a2b6abf8aa71c1dddb11d17c

SHA1
c23b23aaf33497a77f91a4c1f462a4b7e1454c1a

SHA256
b088e83cb83baf84637484809f59accc599a3826329e09f69815227cd663bca0

SHA512
368e3ea6f62fc9b7a2d82dd543e1a47c30beed3c4839a604298d42a734d84c1f0f251a978e3a49baa8098f8dbaa4cb7f52b502d398ccc6269d89732a2a867173

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0847a1647f378e096f301bb8356bc378

SHA1
c1c46d08e37defa38d4666420ca63f19e81fe641

SHA256
18ac011df8ca1991504ae2cf49d68e9c60f0ed1c34098730dfaa2b55bb49ae91

SHA512
2c9a3a5b9bdda8a7a0d1505bd65f710347d2d1ee631140c6d4461c38c9069c4a97ac254b3b75eed49bea3ec31bed2201c564b3c6209cd498d5a5659cacf959c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1494aa9d1b638da5ea69fca51deac17d

SHA1
0d332e198eef1dec545af5bdeaa8e44a49d3f353

SHA256
42f237036893e326c531d3b4ed197e270f1ba70ca8a6da095072ce70bc914c2c

SHA512
11b547bf2df6b77b1ca0a630286e99fc15eea82197a3ae3f94f66f2ef4fb51656c01ca9d220ba93738a7a7266fdc18cc78119221421f66a5d3a6c9e1e61b35ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
16074d9fba99a2b1f10fe18313f3beb8

SHA1
ba5898e4e00978ab7974a6231254c37d57e51189

SHA256
2362bb4a76a0cbedd35dc1d4f19c46e8233a54a68256b80602a11d2c5d650b5b

SHA512
b9d093a7a1a3575e4e13a867cb1e12e6d01ba42990587f35d0ec6ce2d904392e308073c47f122a0407d8cd889338d784d8a2819ef1770f1943d0735e9652109c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0eb1519e7fafd1b52ee96ce533cc7d72

SHA1
b2dfbad6a36dd16ac945f0ecbd0f495b79c03795

SHA256
81efcd504d2a3b4936b4e7de5fdd6b250710018db983e3350530da5cba9cc0d1

SHA512
5b2a1df98b7c5aa7ffb1a52e13374756dbad48430672ce0c6f14feda85d7e963d0813ddca707282eba109db55608b834c77509ea1fe696d5082d63d2d93961ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
caad29b7f54d808e761c6b88629b5a43

SHA1
8eb48a9902a4fe607e24467e4e0e7620b7a5ff7e

SHA256
50b6b61982978b5a622cd5ac6e3cc6b2c0f83c7eab02eb8128b218d78d099754

SHA512
28caedc241c21d27c6bca66f503d3d65c2d3f64e5f40fa206a2faf31491115398a7d74970089c554a0bcb7220045105b22c715df85f2e50f6bab257f515ecaa8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
deddc339cb5833eec5a4486b12bf0691

SHA1
ec7648edb167b057d2b43d6e576298876aabdfac

SHA256
4f351076bc429794c07fa2f8d428780af993b7312d2f94f8414f936d27362398

SHA512
39cb4fa02f9c26ba067df0e4a463feb07ecfdf2ff54ab9f208f8f048f421840111326728ec811d4cae408d61148b3060750936946675109a32796419a3545614

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
aea5d3b0260188a529c67b7ee03ed664

SHA1
9eeb854c073711f1aaa90dce860e630541662b08

SHA256
9f38c09cb3dbbb6806b02de5175206ef72d398b626dc5a0b74b7f0476714d8a2

SHA512
947e857bdaed88a599491606c5835296069eef1d2297899a43272845496458e1556ed22a0b460a69ea5d1d6f6b02640679ae491228017b8b344c47191853997f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
27b43e8cf9fc83e3af8798349941cdb4

SHA1
3e057c1f58cdd8e6f690a24a0c66fff4bb518e61

SHA256
753b8700a0dd7933e7cc42b270646c9ad86753347c0c66e7dac016a8e5426679

SHA512
b7674307a6b0ff9c068f4c9399addd636091e6d7ab0b3f07699a0a54047c088b73899f4954d2562ec1b9f6ffae46223823d077536bf765fe4438fd4637a89a5e

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
27KB

MD5
c52785024856f5634caffcf661a57b2b

SHA1
871c8aacdfac88923c05793635a013307bd8e380

SHA256
973c60869c16bccb6681924344c5ddce14f8b4a4bc4b639a76f8bff53e98fa69

SHA512
3dba2af10ab7c82943f153f57e400f825fc041fec361c40ca284f67c79cb188473aa3a1adb8cdaa2a57662569fce1b22bb6d46555dd3626cb7c95757a74df466

Download Submit
C:\Users\Admin\Downloads\AnyDesk.exe

Filesize
832KB

MD5
c4973bfb4cb45b45f5fdac63a25846e8

SHA1
cf50b66252654ded38785d6dcafae8fbb43b1244

SHA256
228e949c49120de14b7a81268bbc4505f7635edd70893bece382197694a63dfa

SHA512
369a558de44878c1085526dd23cff0e690516fa0fed53082a6dd6717a0a06ce8e2c62c44823805801b9986d2dfd943a5faa8a989a73367bca6015dcafd348429

Download Submit
C:\Users\Admin\Downloads\AnyDesk.exe

Filesize
102KB

MD5
969b0ada4a4280afe5715f5cf104640d

SHA1
0cc7e7538ec8b104e21fd4deffe9bbed4002f57e

SHA256
264e55b40cfec4e9decd2e0d0edbebeff6e7ca46abdeca0835a5972bf3d03ebd

SHA512
a433f4898c8c6a595f4553924d53319292bb1691bcaf75a0b60a5a3880f4432efcbe25346d60a72956dab1924dd48d9912f8a59e4e43d2c8f7336c7209ad9a17

Download Submit
C:\Users\Admin\Downloads\AnyDesk.exe

Filesize
1.1MB

MD5
a172a5e1911c214c347d13be3763ea7b

SHA1
56342823fb9c2caf5fdf08efb292d3683ae3ef9f

SHA256
1586c7f10146763b0996397038666060bdbaa832a9587dc496170e122a95a2f7

SHA512
822590859ecc6e0926d198f56c97b6865f302d19afbf081306f73ed5dcfb337a01c845e3887fd8a3e65d040e94edc0df75835ccce454c13089d21d5fa113429c

Download Submit
C:\Users\Admin\Downloads\AnyDesk.exe

Filesize
1024KB

MD5
295b3e4171d046141fecce7224b7ceba

SHA1
b113659844925286732963cf8a6ac6d9b0d10a7f

SHA256
5eb7eb344f38be1c0c1030f88abc9df5d05da06572be5ad5ae47dfc48f8ccc5a

SHA512
abdea5837b6c4e367a4c57c0fe66ab43981804603952c11c70f1af46f2447fd82022fc4397c182b80f91c28f77014ea0c7c0a53f96d4068864e251cd99dbd368

Download Submit
C:\Users\Admin\Downloads\BloodEagle Ransomware Builder.exe

Filesize
683KB

MD5
bd74ac3a184b41087eaffe1c4e5575f1

SHA1
dcf0cc5cf9d633f398bda7821bb04b89ac60870d

SHA256
87675dc68eac28c09af5658389267f7160d34865aaa4d2abaf4f127432333bcc

SHA512
bed0db9ed78e0459b151849b6c04ed626a664b6779fdce3b5ccdced5dc06c2eea208b08dc1cf153a6781587c45fba3d92a8f5a27952c58fcace27330a75d9526

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 99508.crdownload

Filesize
5.0MB

MD5
a21768190f3b9feae33aaef660cb7a83

SHA1
24780657328783ef50ae0964b23288e68841a421

SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62

Download Submit
C:\Users\Admin\Downloads\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0kxt2lg\o0kxt2lg.0.cs

Filesize
39KB

MD5
63c2c5bb80020a0ca8bee07953756c6f

SHA1
d742320cff2e8b2abd828a9782154a348d46acb8

SHA256
06312ba59dc96d435647927b68fcfbbc9dff7399a05b1ee774adcc1fd70a3d81

SHA512
1de0293f0e92ee3780f8182079967181fbd26640d32e17cb27fd0a1d8935f2543a3b2b556d8cc88a1c7ccf3cb71f35f6a0d9280e19056b7d9b091fe270d136d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0kxt2lg\o0kxt2lg.cmdline

Filesize
389B

MD5
3079c09208363027499264acbf38f138

SHA1
b66911b48debaa443643652fc4e937ef46393e9d

SHA256
8d372799b7c2fb89867fc883516ffa87a3f752a310655247f5f34146bd4d9cea

SHA512
5b34c1f023b5ec90ebb32f41f73c10c0546547f6e25094f069ac3275c92255177f603ba995ffa06ea1fe6ee1be21aeeea382a0783a8f516dca9d563a232ab3d0

Download Submit
\??\c:\Users\Admin\Downloads\CSCE21CD1969ADB4BEE86E05F362EA855F.TMP

Filesize
1KB

MD5
d4cd732ebc3e9701fd244ef9272f9734

SHA1
be796294e38cad731e6d45f321714e821dbc7c53

SHA256
1db87c9a975739e2d5588eada21ba5500d57dff125e1ff6f5cf6c54d2482a684

SHA512
0828f39b677b2120b29ffa410b1a101a8681a9afc93fb029ad3ee3da5fab1b0d2e54f02123e50734f53c0e07706fcf98f68c50ef2a7114ef951b47b978c0fec9

Download Submit
memory/1460-2396-0x000000001B020000-0x000000001B1D3000-memory.dmp

Filesize
1.7MB

Download
memory/1460-2379-0x000000001B010000-0x000000001B020000-memory.dmp

Filesize
64KB

Download
memory/1460-2395-0x000000001B020000-0x000000001B1D3000-memory.dmp

Filesize
1.7MB

Download
memory/1460-2381-0x000000001B010000-0x000000001B020000-memory.dmp

Filesize
64KB

Download
memory/1460-2397-0x000000001B010000-0x000000001B020000-memory.dmp

Filesize
64KB

Download
memory/1460-2398-0x00007FFAC0090000-0x00007FFAC0B52000-memory.dmp

Filesize
10.8MB

Download
memory/1460-2382-0x000000001B010000-0x000000001B020000-memory.dmp

Filesize
64KB

Download
memory/1460-2378-0x00007FFAC0090000-0x00007FFAC0B52000-memory.dmp

Filesize
10.8MB

Download
memory/1656-1119-0x00007FFAC0C30000-0x00007FFAC16F2000-memory.dmp

Filesize
10.8MB

Download
memory/1656-2347-0x00007FFAC0C30000-0x00007FFAC16F2000-memory.dmp

Filesize
10.8MB

Download
memory/1920-994-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/1920-1120-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/1920-992-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/1920-1011-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2424-1118-0x00007FFAC0C30000-0x00007FFAC16F2000-memory.dmp

Filesize
10.8MB

Download
memory/2424-1106-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/3092-2367-0x0000000000140000-0x000000000017A000-memory.dmp

Filesize
232KB

Download
memory/3092-2369-0x00007FFAC0090000-0x00007FFAC0B52000-memory.dmp

Filesize
10.8MB

Download
memory/3092-2371-0x00007FFAC0090000-0x00007FFAC0B52000-memory.dmp

Filesize
10.8MB

Download
memory/3372-2361-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/3372-993-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/3372-998-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3372-2193-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/4764-620-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/4764-647-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/4764-619-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/4764-623-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/4764-648-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/4764-712-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/4764-724-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/4764-863-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/4764-886-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/4764-953-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/4764-918-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/4764-920-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/4764-919-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/4764-921-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download
memory/5044-962-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/5044-888-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/5044-650-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/5044-659-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/5064-1042-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/5064-1105-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/5064-1107-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/5064-973-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/5064-991-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/5064-1043-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/5064-976-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/5064-972-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/5064-990-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/6000-872-0x00007FFAC0C30000-0x00007FFAC16F2000-memory.dmp

Filesize
10.8MB

Download
memory/6000-243-0x00007FFAC0C30000-0x00007FFAC16F2000-memory.dmp

Filesize
10.8MB

Download
memory/6000-217-0x0000000000730000-0x00000000007E0000-memory.dmp

Filesize
704KB

Download
memory/6000-218-0x00007FFAC0C30000-0x00007FFAC16F2000-memory.dmp

Filesize
10.8MB

Download
memory/6000-219-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/6000-220-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/6000-249-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/6000-260-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/6000-250-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/6120-887-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/6120-652-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/6120-954-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/6120-958-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download
memory/6120-662-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/6120-649-0x0000000000D80000-0x00000000024B7000-memory.dmp

Filesize
23.2MB

Download