chaos | f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

Analysis

max time kernel
359s
max time network
336s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02/07/2024, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chaos Ransomware Builder v4.exe
Size

550KB
MD5

8b855e56e41a6e10d28522a20c1e0341
SHA1

17ea75272cfe3749c6727388fd444d2c970f9d01
SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512

eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
SSDEEP

3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 9 IoCs

resource	yara_rule
behavioral1/memory/4764-0-0x0000000000550000-0x00000000005DE000-memory.dmp	family_chaos
behavioral1/files/0x000800000001abf2-14.dat	family_chaos
behavioral1/files/0x000800000001abf7-22.dat	family_chaos
behavioral1/memory/2944-24-0x0000000000A40000-0x0000000000A4C000-memory.dmp	family_chaos
behavioral1/files/0x000700000001abf9-98.dat	family_chaos
behavioral1/files/0x000700000001abff-106.dat	family_chaos
behavioral1/memory/4100-108-0x0000000000E40000-0x0000000000E4C000-memory.dmp	family_chaos
behavioral1/files/0x000700000001ac07-139.dat	family_chaos
behavioral1/memory/992-141-0x0000000000B10000-0x0000000000B1C000-memory.dmp	family_chaos

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 26 IoCs

pid	Process
2944	hvh.exe
2616	svchost.exe
4100	hvh2.exe
2964	svchost.exe
4540	hvh2.exe
2484	svchost.exe
2156	hvh2.exe
2100	svchost.exe
1272	hvh2.exe
2192	svchost.exe
1544	hvh2.exe
1748	svchost.exe
4280	hvh2.exe
3864	svchost.exe
3984	hvh2.exe
4336	svchost.exe
992	hh.exe
4196	svchost.exe
2552	hh.exe
4428	svchost.exe
1236	hh.exe
4452	svchost.exe
1704	hh.exe
1940	svchost.exe
604	hh.exe
4124	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-873560699-1074803302-2326074425-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 600031000000000084584e6310004d594e4f54457e310000480009000400efbe84584d6384584e632e000000cb760000000012000000000000000000000000000000183996004d00790020004e006f007400650062006f006f006b00000018000000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000020000000100000000000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\NodeSlot = "4"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0400000003000000000000000100000002000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000030000000100000002000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\LogicalViewMode = "3"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\IconSize = "96"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 02000000010000000000000003000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000030000000200000001000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 = 3a002e8096f2fd3decdbb44f81d16a3438bcf4de260001002600efbe11000000a4aa36d68986da01e23ddc7a9586da01e23ddc7a9586da0114000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a4aa36d68986da01083e0dd78986da0157dc0ad78986da0114000000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Chaos Ransomware Builder v4.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
3016	NOTEPAD.EXE
3196	NOTEPAD.EXE
420	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2616	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2944	hvh.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
4100	hvh2.exe
2964	svchost.exe
2964	svchost.exe
2964	svchost.exe
2964	svchost.exe
2964	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4764	Chaos Ransomware Builder v4.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	Chaos Ransomware Builder v4.exe
Token: SeDebugPrivilege	2944	hvh.exe
Token: SeDebugPrivilege	2616	svchost.exe
Token: SeDebugPrivilege	4100	hvh2.exe
Token: SeDebugPrivilege	2964	svchost.exe
Token: SeDebugPrivilege	4540	hvh2.exe
Token: SeDebugPrivilege	2484	svchost.exe
Token: SeDebugPrivilege	2156	hvh2.exe
Token: SeDebugPrivilege	2100	svchost.exe
Token: SeDebugPrivilege	1272	hvh2.exe
Token: SeDebugPrivilege	2192	svchost.exe
Token: SeDebugPrivilege	1544	hvh2.exe
Token: SeDebugPrivilege	1748	svchost.exe
Token: SeDebugPrivilege	4280	hvh2.exe
Token: SeDebugPrivilege	3864	svchost.exe
Token: SeDebugPrivilege	3984	hvh2.exe
Token: SeDebugPrivilege	4336	svchost.exe
Token: SeDebugPrivilege	992	hh.exe
Token: SeDebugPrivilege	4196	svchost.exe
Token: SeDebugPrivilege	2552	hh.exe
Token: SeDebugPrivilege	4428	svchost.exe
Token: SeDebugPrivilege	1236	hh.exe
Token: SeDebugPrivilege	4452	svchost.exe
Token: SeDebugPrivilege	1704	hh.exe
Token: SeDebugPrivilege	1940	svchost.exe
Token: SeDebugPrivilege	604	hh.exe
Token: SeDebugPrivilege	4124	svchost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe
4764	Chaos Ransomware Builder v4.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1056	4764	Chaos Ransomware Builder v4.exe	76
PID 4764 wrote to memory of 1056	4764	Chaos Ransomware Builder v4.exe	76
PID 1056 wrote to memory of 4168	1056	csc.exe	78
PID 1056 wrote to memory of 4168	1056	csc.exe	78
PID 2944 wrote to memory of 2616	2944	hvh.exe	84
PID 2944 wrote to memory of 2616	2944	hvh.exe	84
PID 2616 wrote to memory of 3016	2616	svchost.exe	85
PID 2616 wrote to memory of 3016	2616	svchost.exe	85
PID 4764 wrote to memory of 4652	4764	Chaos Ransomware Builder v4.exe	87
PID 4764 wrote to memory of 4652	4764	Chaos Ransomware Builder v4.exe	87
PID 4652 wrote to memory of 760	4652	csc.exe	89
PID 4652 wrote to memory of 760	4652	csc.exe	89
PID 4100 wrote to memory of 2964	4100	hvh2.exe	91
PID 4100 wrote to memory of 2964	4100	hvh2.exe	91
PID 4540 wrote to memory of 2484	4540	hvh2.exe	93
PID 4540 wrote to memory of 2484	4540	hvh2.exe	93
PID 2156 wrote to memory of 2100	2156	hvh2.exe	95
PID 2156 wrote to memory of 2100	2156	hvh2.exe	95
PID 1272 wrote to memory of 2192	1272	hvh2.exe	97
PID 1272 wrote to memory of 2192	1272	hvh2.exe	97
PID 1544 wrote to memory of 1748	1544	hvh2.exe	99
PID 1544 wrote to memory of 1748	1544	hvh2.exe	99
PID 4280 wrote to memory of 3864	4280	hvh2.exe	101
PID 4280 wrote to memory of 3864	4280	hvh2.exe	101
PID 3984 wrote to memory of 4336	3984	hvh2.exe	104
PID 3984 wrote to memory of 4336	3984	hvh2.exe	104
PID 4764 wrote to memory of 3868	4764	Chaos Ransomware Builder v4.exe	105
PID 4764 wrote to memory of 3868	4764	Chaos Ransomware Builder v4.exe	105
PID 3868 wrote to memory of 4612	3868	csc.exe	107
PID 3868 wrote to memory of 4612	3868	csc.exe	107
PID 992 wrote to memory of 4196	992	hh.exe	110
PID 992 wrote to memory of 4196	992	hh.exe	110
PID 2552 wrote to memory of 4428	2552	hh.exe	113
PID 2552 wrote to memory of 4428	2552	hh.exe	113
PID 1236 wrote to memory of 4452	1236	hh.exe	115
PID 1236 wrote to memory of 4452	1236	hh.exe	115
PID 1704 wrote to memory of 1940	1704	hh.exe	117
PID 1704 wrote to memory of 1940	1704	hh.exe	117
PID 604 wrote to memory of 4124	604	hh.exe	119
PID 604 wrote to memory of 4124	604	hh.exe	119

C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe
"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5b5teebi\5b5teebi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3781.tmp" "c:\Users\Admin\Downloads\CSCFA921DB9FAAB40B7B0373418F122BDAB.TMP"
    3⤵
    PID:4168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ciy3xpv0\ciy3xpv0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2B3.tmp" "c:\Users\Admin\Downloads\CSC93B926F2CADA4E11B82357DFB72E606F.TMP"
    3⤵
    PID:760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3emxat4l\3emxat4l.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8CA.tmp" "c:\Users\Admin\Videos\CSC5D3AD5B232A94ED788E06540B1492B70.TMP"
    3⤵
    PID:4612

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:2996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1592

C:\Users\Admin\Downloads\hvh.exe
"C:\Users\Admin\Downloads\hvh.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3016

C:\Users\Admin\Downloads\hvh2.exe
"C:\Users\Admin\Downloads\hvh2.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964

C:\Users\Admin\Downloads\hvh2.exe
"C:\Users\Admin\Downloads\hvh2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2484

C:\Users\Admin\Downloads\hvh2.exe
"C:\Users\Admin\Downloads\hvh2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2100

C:\Users\Admin\Downloads\hvh2.exe
"C:\Users\Admin\Downloads\hvh2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2192

C:\Users\Admin\Downloads\hvh2.exe
"C:\Users\Admin\Downloads\hvh2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1748

C:\Users\Admin\Downloads\hvh2.exe
"C:\Users\Admin\Downloads\hvh2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3864

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\read_it.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3196

C:\Users\Admin\Downloads\hvh2.exe
"C:\Users\Admin\Downloads\hvh2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4336

C:\Users\Admin\Videos\hh.exe
"C:\Users\Admin\Videos\hh.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4196

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Videos\read_it.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:420

C:\Users\Admin\Videos\hh.exe
"C:\Users\Admin\Videos\hh.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4428

C:\Users\Admin\Videos\hh.exe
"C:\Users\Admin\Videos\hh.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4452

C:\Users\Admin\Videos\hh.exe
"C:\Users\Admin\Videos\hh.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1940

C:\Users\Admin\Videos\hh.exe
"C:\Users\Admin\Videos\hh.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hvh2.exe.log

Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3781.tmp

Filesize
1KB

MD5
2814d1c4b8a6a3d732792e1d552006df

SHA1
1c3afdf9da77539f3795897c6faf453e3ddcbb6b

SHA256
6b7d703a09d34cf5fb03e281e42705debbe04052df6b63d1006a9fd305418217

SHA512
766d191bcec2e0b7e32abe97cfc2734dd2771149e57fe9b87fcc0391db623b574bb9d40c2738e8583abb287341a247f67c62be68a3adba0d11d597eda9a27a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8CA.tmp

Filesize
1KB

MD5
446909f931ce5e5dbce23a698406cd8c

SHA1
94ed6442c0b4a9969cdefb23598e3fb2666daa56

SHA256
d52937ffe989768a623b39981fead41fad242b44a9a1f3b1071551766c3c86e5

SHA512
8093b42a02b329a26d62186378bbcde2a56a3427d7999be0ad4b70d0a3c287a09b6ae1595ca870822dfc25034d3259d3f02dba700978dec36a917489eb8b4f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD2B3.tmp

Filesize
1KB

MD5
fb87da658fc19c301ddb96b67d696901

SHA1
36eb536642a608b737c485d5594c9b00fe269918

SHA256
695fef2f05da4e3bec28b87f869d35de63156381b21e001b0301c174234f0bae

SHA512
26077b5c3c65a91b4c54486d1549c3982cb05f469c3ff0255538b315759a8c247b25dfab07924def7bf0e4aad82cd6c5d95b94fd479c17922d7dea216d5f3111

Download Submit
C:\Users\Admin\Desktop\read_it.txt

Filesize
964B

MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
C:\Users\Admin\Downloads\hvh.exe

Filesize
22KB

MD5
e9dc585ab8f95b9f729b56ca42cca9ba

SHA1
c5cb88cccf8d3670429dfda773fee2ca4f42a5eb

SHA256
f513cf9d3ee246a8ebc2f2d042fd38b6322a11d45fad06ee6d8b588cc1475f4a

SHA512
c7f8aba38636b3f05654eb99323a42f0e3978cee075df8cb4a72081c31dc899d4f82d99bc5d646027d5b267786b297b934860f763f5346fa47805463d3890476

Download Submit
C:\Users\Admin\Downloads\hvh2.exe

Filesize
23KB

MD5
a55063d63b7941c46ce307ade2127466

SHA1
2c3060b127b350520ee438d8e27e48abaad69624

SHA256
53d34689f921600a0c83153b71846639213462cfb425272f88840265202a0671

SHA512
d548806e47e2a79c4036cce2073128a80cd036a399058223c69a2d6d098192163c3d988ce9d2017424af7db99ecb8ee75bb44218f8a96730f97c8eb09146fd9a

Download Submit
C:\Users\Admin\Videos\hh.exe

Filesize
23KB

MD5
4e6b22236ac97a727f4f90ead2f2bbf9

SHA1
3a3f45aea9241660f4b4ee565645d69991779df2

SHA256
42fa99e7d3d6c693ceb75e464474456382a98734bbfcef40c3f6481fd15f3a46

SHA512
581884fa3e4053d284491a26dfe5bcfdfa3d9d2ac81f0dd7de292be75839702b26f4ecc8c9dcd7c9b9f5f487e7ebcc6b29e2f68e8fa19d240fa10d6192b09cda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3emxat4l\3emxat4l.cmdline

Filesize
327B

MD5
e305cd011f0fb399b8d7227ea2f8bd48

SHA1
d69799afe5522cb3844f687d54b374e1398f67c8

SHA256
14d9f8973f1312cdec9242fa24dd4ff837b3f772af9db5492d28517e226ecd2d

SHA512
d502f0a773f402ad7f28e727d5c655238cdfa8030ca5f10fe2997ebd071d6e8d671da1b27c67e7c3e8a5afaa00d6b2cd8794284aedecdae4c59aa2a5d332f054

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5b5teebi\5b5teebi.0.cs

Filesize
30KB

MD5
76e03563ee3ab915bce443d213332ee7

SHA1
145d7da3c060b50eec81085a8fd05fcc3d849e78

SHA256
4c83fba26f2af551ca9044aca13e24ee109228b0c06563ebe75e36a0d294c607

SHA512
d40bb7d1d1427557198332d7ccd82182179a5cf2d61d0674f16d1b80104d6a1b111473f32965bbdb48f9e98ac386be5bf0bff7a0f80121bed58e6a482731bc1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5b5teebi\5b5teebi.cmdline

Filesize
331B

MD5
45d84f41f3467d73c157a994696db721

SHA1
7406887d2bde4f9da094ddab05b5cd33ade0a619

SHA256
2491ed569d5e1ce3915a923d0c2eb0c94643eb92860466fceca64a7ea2880085

SHA512
71c60f34f04e5301d697004ce0c7917ff6ff22c0b4e61db5380b8d85b65b40be76519634b4dc6491d79ade87d8fcb0da9730587db5cc75fb23a4011d2d1cc463

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ciy3xpv0\ciy3xpv0.0.cs

Filesize
31KB

MD5
b93d9fedf0aa811b180702c955689d32

SHA1
eda69f5cf72fd6b585d8ca04ac32cc83f2259cd0

SHA256
db542b1ad2ff5cbda54e99bbacd1eb28601d95611a4037688b9fc84f18de367b

SHA512
e183c3cad9bc4625e2d6a20b36e5a1c7df4e9a1d3df64f0ba077572198f419e790b4f6fcc9823cd6d7ded4e18d05e309c63efdb2e0cdac1d434104e614a4b33a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ciy3xpv0\ciy3xpv0.cmdline

Filesize
332B

MD5
cf8b004437b296432c6004f8886a3b82

SHA1
21b68fa4d20847ed84bdd6c0a62cbba7f646d3f3

SHA256
0a2ce1c1f32cbd2ce717fffe3a13ccb12d9c7d90d2f9b1a826c9ad7ac43b3832

SHA512
693bc70999823f35e06a84a20f93f3a38b937f7bb31233a96d4475268e219e469e9cab6021a0d0bae0c17468a534a794dfb6e3282d013c082bfb918b0279139f

Download Submit
\??\c:\Users\Admin\Downloads\CSC93B926F2CADA4E11B82357DFB72E606F.TMP

Filesize
1KB

MD5
2d6d577ab2659db54138a9f9c2485ff9

SHA1
6b78174240a1b991f26b3f2240270cbff8d69c99

SHA256
ca21b81bdf5d7cad77d3b8e4c4bc5ead801d7499618cc2be010082a2de18a02e

SHA512
fe1dcf6e14110f1ee6f5e5d2a7f0ceec1e8fea1060505ec5b309a05683ddb69b4b690802e5c70b5a5963abf54806dc30e72c01164b9eb7421874d453c04cfaa7

Download Submit
\??\c:\Users\Admin\Downloads\CSCFA921DB9FAAB40B7B0373418F122BDAB.TMP

Filesize
1KB

MD5
db48332b666058d0db48a5461f5356b4

SHA1
27af6df905030477b1feadd0124d5313c1e432e5

SHA256
e73451e991906956e4576d56bca26246ff87c5d283f0305e128a72996349bbb5

SHA512
8f6729bc3e258edb6794806af3aa6e6f51f44290511405388e1d74cd5b447553a53d07fdd4f0b3a29ad5f2d23c310ac9ab23f980a5ab693201ea883661a600ad

Download Submit
\??\c:\Users\Admin\Videos\CSC5D3AD5B232A94ED788E06540B1492B70.TMP

Filesize
1KB

MD5
2af36729151d1d1bdbb914d4a1c51154

SHA1
c0c4595f7e58d91810d4c5c9615c1fd16a3c6006

SHA256
95efd991a11ca7a45ffa5e854c784b844e6e132a274c1d1d694d177efb77dc54

SHA512
e69107b36c8b8ba98d415208f2c88d822ca6d3d36ed23031e112a7e145865a149b8296c4920b746920eb1dbe95e01c975853811c770aee97c36be89aa08a3988

Download Submit
memory/992-141-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2944-24-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/4100-108-0x0000000000E40000-0x0000000000E4C000-memory.dmp

Filesize
48KB

Download
memory/4764-8-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

Filesize
9.9MB

Download
memory/4764-7-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

Filesize
9.9MB

Download
memory/4764-0-0x0000000000550000-0x00000000005DE000-memory.dmp

Filesize
568KB

Download
memory/4764-6-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

Filesize
9.9MB

Download
memory/4764-5-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

Filesize
9.9MB

Download
memory/4764-4-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

Filesize
9.9MB

Download
memory/4764-3-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

Filesize
9.9MB

Download
memory/4764-2-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

Filesize
9.9MB

Download
memory/4764-1-0x00007FFFF2EF3000-0x00007FFFF2EF4000-memory.dmp

Filesize
4KB

Download