chaos | f9a5a72ead096594c5d59abe706e3716f6000c3b4ebd7690f2eb114a37d1a7db

Analysis

max time kernel
252s
max time network
248s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-09-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Yashma ransomware builder v1.2.exe
Size

538KB
MD5

13e878ed7e547523cffc5728f6ba4190
SHA1

878ad3025f8ea6b61ad4521782035963b3675a52
SHA256

f9a5a72ead096594c5d59abe706e3716f6000c3b4ebd7690f2eb114a37d1a7db
SHA512

a7fa4f14deb65aa8de18e37e4fba3d2fa6ed696b70c4d0f1f49a65a4d43da76eff0d9a9c4703a6e3c13a37eb5d1a427e43be8c0ea6b1288a50a1c5175d9392c7
SSDEEP

3072:tq0G/vqRT5i2YcRVm16Pn690H7GMgXuD//bFLAkCgkUKEyF9aT5Zt19r+E1/bFLz:U0G/GiWm16YaGMVFLQdD8FLz

Score

10^/10

chaos discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\read_it.txt

Ransom Note

Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Emails

[email protected]

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

resource	yara_rule
behavioral1/memory/128-1-0x0000000000660000-0x00000000006EC000-memory.dmp	family_chaos
behavioral1/files/0x000100000002aada-136.dat	family_chaos
behavioral1/files/0x000100000002aae0-189.dat	family_chaos
behavioral1/memory/4628-191-0x0000000000860000-0x000000000086E000-memory.dmp	family_chaos

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
4628	eee.exe
4316	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133697492464453818"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Yashma ransomware builder v1.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Yashma ransomware builder v1.2.exe
Key created	\Registry\User\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\NotificationData	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Yashma ransomware builder v1.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Yashma ransomware builder v1.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Yashma ransomware builder v1.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f3c2f877f0e4da01af249297f3e4da01af249297f3e4da0114000000	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Yashma ransomware builder v1.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Yashma ransomware builder v1.2.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4580	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1400	chrome.exe
1400	chrome.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4628	eee.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	128	Yashma ransomware builder v1.2.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe
Token: SeCreatePagefilePrivilege	1400	chrome.exe
Token: SeShutdownPrivilege	1400	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1476	MiniSearchHost.exe
128	Yashma ransomware builder v1.2.exe
128	Yashma ransomware builder v1.2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 3384	1400	chrome.exe	83
PID 1400 wrote to memory of 3384	1400	chrome.exe	83
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 1344	1400	chrome.exe	84
PID 1400 wrote to memory of 4008	1400	chrome.exe	85
PID 1400 wrote to memory of 4008	1400	chrome.exe	85
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86
PID 1400 wrote to memory of 2752	1400	chrome.exe	86

C:\Users\Admin\AppData\Local\Temp\Yashma ransomware builder v1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Yashma ransomware builder v1.2.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zduoldge\zduoldge.cmdline"
  2⤵
  PID:1356
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA3C.tmp" "c:\Users\Admin\Desktop\CSC65838EB25A2D44DE8B42F42A6D7CC2EE.TMP"
    3⤵
    PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cb15cc40,0x7ff9cb15cc4c,0x7ff9cb15cc58
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,5532076348704691365,3886218358970481791,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,5532076348704691365,3886218358970481791,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,5532076348704691365,3886218358970481791,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2920,i,5532076348704691365,3886218358970481791,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,5532076348704691365,3886218358970481791,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,5532076348704691365,3886218358970481791,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,5532076348704691365,3886218358970481791,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,5532076348704691365,3886218358970481791,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=212,i,5532076348704691365,3886218358970481791,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1076

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Users\Admin\Desktop\eee.exe
"C:\Users\Admin\Desktop\eee.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4628
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8c70a081513b9b6b57176170ad4631f2

SHA1
1fef79c42e99fcdb28e4032cc189ae07a043bf23

SHA256
da3d4c9598cc59f71715904a8aae6fe3caf08f8e6230e086e6a63d7c44036c85

SHA512
14a64ad5052b86ec163da43beb47044818da8742db259eccbdb2b98f9bdd211717bd73367dba1f5c229f6470c67d3af191ebbd63767d045a3eca446a7a25a478

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e19c7a1cfc7404859bbc891096dd08c2

SHA1
c6900aad731b680a355d4ea2ae2a68c3a0f32d0d

SHA256
1f256f8cc46d0ca81483a7097b7c75c80ac81457166127d517c74eed420a062e

SHA512
a5aa8020ebbd91b3d2ea07c1b6fcf1470abedd311fdfb50d72173c8e364eeceeec49340f02bf64db897f84ef641f07ab9142c4eb06e7081b3623d4657ae8b7b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
baf21dd93fe427e7434e8ae6fc1493a2

SHA1
fcd87442487527d84e3240ff3cce9c7658836899

SHA256
b9e759d2d3b3c56246e51b6f75cf3e1118e7dfb88ae23b1def093e7150b30c1a

SHA512
460b2f8c80c12ffc039b9a57e0c120e89cb72cb48aecf21100cd4f2dc76e7ac4c6a9e4e306c6761966d7310c75853351fcc636a832bc616116aa2929a1722abc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
df4544cd323d688f186104bdc40cbef4

SHA1
72c75ea98f92c0b32cf8ec4a7098f891c94c37d8

SHA256
6d6cf2669dfa8ced33a54b1e55dae11520368898347b896b309dfde99ff94834

SHA512
3f93286dbe558e09986b59a284afad04fef500a2929981157f8ffe6e3d56641b3b547fa9033d6b786a2549ba8d71dbf7648af9a51130aec6412b83881b4d8115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
350B

MD5
28a2db1d413f70651008e248bc876997

SHA1
ba96c73f53d51218c99446d4f5c4b5e65922ede2

SHA256
921629df18e58a2ae0b469feac65753ea9ea158b7f376327e723885bd820c08f

SHA512
9947038d64cd5db3790dbaf839ebc3fa3b1c4548786d071338906e6f43d87f5b87582911070731da766999121a61c4beede7551d46dfd918d9ca5d7e3ed56632

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
544c74488410f2977a67d25c0c9cb5bc

SHA1
8f2036c74aa9bdfda715d9a11bdac53fe322b138

SHA256
d84972b401b85bb1845d213c90b73c0e0ae56a2374581a45998c80c1dd87d8b3

SHA512
513ffd149177606203ebdd849d1dfa66f63ee6907d1562f8120a7858a3381cf02a85f5d53a2850e97ae5894568a0eff8f001cc5c9bd6ea0063c7f01a24d955ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df78e194d75b4fc4ceb89ad5ca4d3125

SHA1
2f9ce7ef403ef49cbd6320542f0ef1f120795cf1

SHA256
1b94497108ea8a52895bedef0fe525c1fdac68c907b09bb7135d507e62eef72c

SHA512
8a9ceb28518e86679e80d1232fee5358230fb405c1f2a4c533f1cc2095657b7a2a1f32f64c81bfe3676fd526caa0aec2ed2449c3daff73c8cf317b7da645004e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c0660d24d795b28bd3bb3b577a11cb73

SHA1
0c88f538da58309d45be2f037860154b7abffba9

SHA256
7a1213ae8423fa276724c85b3f14f17eb3426d02460bb3717b92c494a4d4c46c

SHA512
81bdee6fa40e2497e2b477314f0a3f358727ab8199ebd7ba6cf172ba8cba7727cdf84096be45e284b646e747ea337d7bfba79a8d1c8e61f6849150f2f87b8291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
00331ff021671af258308d4dbb0df115

SHA1
08e090955ce100eca1a748c97a97cab50b07392e

SHA256
22ac2c43aae1c1612ccaa465c1f927560302d3c116a302cc41c42c2a6c99151f

SHA512
9b250060034a584e36aed69de62d727e9fb0787e61688427a76d711947597acd193d9763dd4f8babf205140c8c01a6dc2d60514f0cc7b21cca4f4f03399917b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1363fbdbd53163e8082cba65b7d4e07c

SHA1
8d0e6b86e67ed76fe70cfdedb7af56eca4d1ae11

SHA256
0e32857495af83035c5fa6a939489a0ae794bdc86c26a035d4ccbab99eb94e56

SHA512
e043267e38c73006d98e218bf7ae9b2083cf6bb77f2c98dc73a51bbfbd43e615f90fe801c207fbccefd1c7564e578a7b9439ed00557bf83521e831befe23ffd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
93066d68145b810137d794c8e33e1770

SHA1
9479618cfc8c7c7e8016c0ab4bfd49efa52c1377

SHA256
c208430bc8873c18beef7843b2c3ab6a229027c0140f8843fead4c43a8ff9e23

SHA512
7b0afb45429b426acb9c449111dd40c8b59ea16a0b478f582fb2a537273fd7e2ba3dfae72110d21f40968f1ee8cff4f0397b7a906c2873b5f7e4fff589a88d2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
504bce32720d84b5f20d72c04f4f9905

SHA1
024fe25aec5bd48d157dbb12764d11b9143fe59c

SHA256
8eeb744e56716e1ef9c1df70218fc28a4f03db5e41f8966bcccd9d4cad89b316

SHA512
1dc2c2fedd91dff0b529ab1bced94f5cc6b42ab3302a353edc60dfbc9c0ebd21b3a516a96a7ca2c71bfcfe7b9eeb6b9fbb8437f84716e9245547e966b1511b46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67d917255db27545d7d1f2fb3ce907e7

SHA1
291d65858e3febf85ebfc18c7a3e032ff60ef639

SHA256
884903ed1b3d7705c6c58b317e439148824f6b11cf6f531fc3add662f9833cc3

SHA512
2f06097e80e4875776aa405abcb50ba2b37b0e20f0f890d356afe01f30d2f8f40f0f2921a0c4a0ac0e0300b39d3e0259bf393bbe1071e259b0ebbe973391ecf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ca4b213c3d9241e3a66797822ced0fa

SHA1
f844356fe353998424963d62e912ba30bb9fb174

SHA256
c44d0869478067954645162b7be8c550a2f54372d4faa2f81c41699cee26b865

SHA512
ebe2a8f872b85469d5e1def1142b2b9f135d250164940869adca5ba54c6728acfb35b4d97f2f3e03b0590fdb07ac7d9c71b68444b038f7ce9a01d7d040cfc386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
65d9ba835ee254d95946b9855254218b

SHA1
25d2bee51a52a062c8169e6ffcf9df0ef9ff84af

SHA256
f3c569b144bfa0e473a19692dfad1e387883532f7b7182f5726a266a8359ada4

SHA512
2b67b2bb6b49f5fba150d5d8c2fc0e8250ee452f0fd21ce08ee3e2475935fd26d90a482c663a41322228ef7d4f62ecd3277ab8d43d10d01cac7223592de57b0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e37dc970cdefbefb3a50a7f94c6e2db1

SHA1
b42e96b7f5a06aea46edbb1f8fc19075e2708ca9

SHA256
8ea97f745b6942ae834513ab6c20fcb974da13352dcca30bd1277775792d3ca5

SHA512
96d13dd01e21f0f746e2001f28f4242365721b837bb11971bda3dc49f78bb3d98c2b1837d4a5b9a57623cc412988c73d13c3fe9cfe8be2a4fd43b5cb17468104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92754bad731f52752855bef8871a8b81

SHA1
b1d67b9f4d6ab1be1b4a370fc97285a3573dae10

SHA256
f41031de40918c433123fbcab49f15197af65a694ab3bb8d19d52ca779465645

SHA512
12b31de2ca7e46bbaaea930f340c44dcb4de21a6e509f3220d20aac52d4840a53a20129b1a58383e02c65e8feb249cafcda1e0fed1aafe0eaf3813050d28ad8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e141f93a03a2dbb5bfe041beef15dc2

SHA1
ff393eb4bfd1203ce0c9e9ba1c9860e07bca7fb9

SHA256
366c142108534d6195a125460727fff641a8518b867c11cb1a664c901e77c54e

SHA512
5b4635b6a69963d5f90db6e995e42e011acbde5de5eed9f0a02e754e372a4089f734b6b975c9b4ac1181e650a4633310d1ad8e717aa0a7b93c0ab09499b1ceae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df83842338e4767d0be607bdfe4a1d2c

SHA1
5fda83def99ca502c48ebc5cfa9f55bf11bdf45b

SHA256
b23ab8c2305ca830e6a3034c2bfef4fb642933fda716f273254290980c6c2145

SHA512
00e845def121abccc4db0b519338f1889f18ad0948050e072a38a47112ba4e1d1a91fd62744502522b48a29d08e0d43703b267518b77f17a7147c179ea498ae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a7bdd101495144d59e6afd52b0b9ace9

SHA1
c66347e44d1b877f70f407ef3e589035f6b209ac

SHA256
91b77cde0b78c978c9af58380a1e933f13991b6db8f7ad20e1435f204aaca8ef

SHA512
64589a86ee642e18ad1c278b0341fafb701becf1a1a8bb9a7e1b768ad4f8c3ea6888357a111b1857dbf0c40daa783d6fee6574debdffcfb65afb2ee893e96394

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0127ca2c109aacca5a27d052107a7623

SHA1
811959d3c197bbe7ccf74d0d77885c66d27330f8

SHA256
7433b304e396b261d09698ce1f7d2e4ee8be3436c8f80f92a2adcf3508dbead6

SHA512
23f695e823270d8ec24a84a156ea4abf78b3f8575dbae729cdd17ac10e6f9323f45ebd636f1664a726cbe693728a2ea8fab7510194c696128ff33d3a339790fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
66d9f24a464612621b77030758547314

SHA1
0696f811a78bf72ea7195210e63645bd494c4175

SHA256
49bd6cb800afd206dd65177cf4012155989927af51c40e50515f3f4399f10783

SHA512
32288baf4796d3b9b8bf680921bd2a075bbbb57dff04e60b9b5a62b9b106d835310cbfc8722412206d3995d70c8a7a6dca4e0da66be63c844aaa23e7d26bfe5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2fb7f6e85c876e5b2ffae8712da95fce

SHA1
cae7b32b58339398393f54db56e6c2309006c98c

SHA256
6558fb55eacdd4522689e3d23e1f97e8ff7442113a69b8c1d3cb28f37647e2be

SHA512
fb66819f1198b8987888c49e0b9e638acb06b7d9bdbffffe6d0e04e842ff11641fc11e8a940c47bd1ccf16f8f2c590b647aef4cc9bc59c2a5356110fb563def8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
289B

MD5
541c42f1c98b3e1b011d22eba854e707

SHA1
db30188de1f22e3077e7044be1386a5d0ecaed9d

SHA256
0768e811c51ac61a8e573ac6b53f89dbb1d89eb2fcf62536a9a5f730329c584b

SHA512
47828c1b40deb8d37d6ff4fc8f7673fbb59b40e07f54f0fa4121b91941160134c251e20f7f28f7ee5185f3c8aee2b7e95a1bef573bc64c68912016accbe90604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
16KB

MD5
21c146562f6964956decef0d4a017159

SHA1
fcaf4a13ba18fb1130fff64c7ce2971b8d53a7a8

SHA256
6fa018ca74c346b867ba34511ab2f1c61dd63bd8b489dd4c82150e13a6a6b53f

SHA512
9689d9a5620c9cd1546d6c8cc2a36bf7e6e289255bf312d6c77730822634b285f66803d6bea9b9e5c27c78479bb65189db6ad6817c25dbba52c6690e7ee2905e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
4ba1c4ad2dbb7d5cf0175d4e80681ad7

SHA1
1ab44c8fd8f5ec5bfd8561e90a61d6f6acac3efd

SHA256
634fec43ca72d25f199aa05aed3cb360f79fa311264ec7894282e776d7008b0a

SHA512
cc111758632c151fae2480b40337edfeaf68804ef53cacaf0c0a2350c1f4ac3f68ca877fc0090ebca07f355b9e4e04311d79d3366d8c50add8c5a38e3af22664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
53cd5ca7077688478e17afda3da85fa9

SHA1
295b2e8c6db342a078198b66fe9769c7b92889d2

SHA256
d08d009c1f43a7bcf75ed71e67b4e81da45eb8b22f22ba91235737f6e266f22b

SHA512
6ad99c2b655c168d16b4ef68bffca68f598383e85560be4937209c818db29787817fce3d4fb322b1c8c8271ce8aa879ecc2b06a4f2738b2af8ce91a4a1c578a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
23c108ae8e91cc9506c9416a18e2c07f

SHA1
31f33d69c6442aa8ac6a5d71aaf590a7dd9b8da6

SHA256
d4ff596cecd96c5d2ace0c9e9321a4b59a7276ebcb50fadff77913bace5dc7e6

SHA512
96202904495590eeaf28c0dcf1d032ce3851557ac0ea29424a784f7e58d8c9242740971b31bd3e4219c15c346d9cc46505ed58ae33a912a9ab3def58ab4b9561

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\eee.exe.log

Filesize
660B

MD5
284393596fdd49bebd7b861bf339b82d

SHA1
a36767dfc423b3c7fd3ff439b616862743a053c8

SHA256
0e692bcbba51ca4e766a427c9f28a7a4a9e326d2cf835493e57a9dc2121326b5

SHA512
8d3247ee0c3bf9a9fceea23eb5c646dbd8b3d954f4d62622f49070629e642d6a13bfb0d27949e2355c081d45f5a1101f05a9972782a0f0a478ed90f551d2efeb

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
4d52399020a24c1f6b4254cc7252504b

SHA1
2afe0c8994c64898d5fe16ca68811438ef19b0ee

SHA256
e75a14ce8abaea1788c4361552ef9ef2b86ea02485eb4ad5f8c22c9c49ece3e7

SHA512
a481726d4ef1dfd67a86ae79e16abda87a0f370310758cc8a1bb2516a69557129e9612b9430c0ae11d7ddf72e1afc3375f5649a09bb53febe5cc16718ba976b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA3C.tmp

Filesize
1KB

MD5
c73ea95284b13f3fc6c260987e8f176a

SHA1
f44fa5b5804b416fb99234ee758d17c8f26c36a3

SHA256
f1f3669ed5287153ae9528799134e08692b984303eab211dfd3d074179cde85a

SHA512
09d80af250c68cde25a168e2400cff9b6a58aa94aa725c0c52631b6770f6a8380c09d57a205a9bee48f3ef96d346ec15a0ad1bd39561d25ebb86bdf813f2a62d

Download Submit
C:\Users\Admin\Contacts\read_it.txt

Filesize
582B

MD5
ed5cc52876db869de48a4783069c2a5e

SHA1
a9d51ceaeff715ace430f9462ab2ee4e7f33e70e

SHA256
45726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36

SHA512
1745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5

Download Submit
C:\Users\Admin\Desktop\ConnectPublish.7z

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
C:\Users\Admin\Desktop\eee.exe

Filesize
27KB

MD5
37dde22ed04c0921693b51df00a47c01

SHA1
d955702b5e99ac4dacbe05d2e5db7271d63cfcb3

SHA256
d16844f3726589c843ecdbd979b59f9d3d159e94bc6b4046c871694bb9718067

SHA512
450bb6b092a6d333dd494b536e638324aca3f29d8e80ff6ac842d70b0717f79ae9dfa35904b12db2f852d85e08495b0d3c10d0683aa779cf98ad6deb6f54aac2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zduoldge\zduoldge.0.cs

Filesize
39KB

MD5
a33180405f674cee3834ddd7e123586b

SHA1
6d92f0138051f8c186661fb1077392e332c2f62e

SHA256
a20454a1c8b07bfa4deee19f1f65a6cd6c44b4d8d6f18acde7fa120d50b0e434

SHA512
f6d255e3210fe069c0fe4a30a3523dbe799593b93c168566406fb051a726ec85078ef0f7525de3ad5aefb29360aca329e039edc40347bbc9869d26bb6b229882

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zduoldge\zduoldge.cmdline

Filesize
385B

MD5
fcbc6931aaad71171579d7f2d1cb91bc

SHA1
1b211901b4f87de1f7f7e0bd5bb982f0f7fc61cf

SHA256
c1f19a44de5c48c31361d64a91696db00c0b55a112a9448229c8d021dce0a9b1

SHA512
95b7398922a52a49e7f3d4f9b24e3dac429ef02ec431d2c7900cc6ac9030db3055ec8385f1941014f35a5cad467a89cd3e35494dd39a741b9ec2737fbaa829e4

Download Submit
\??\c:\Users\Admin\Desktop\CSC65838EB25A2D44DE8B42F42A6D7CC2EE.TMP

Filesize
1KB

MD5
3f33bff10898e0a2271ec42452267a52

SHA1
83509c1785d24462234802480b5ee785b6d32791

SHA256
19276e53cc56d418964d348c55b8e484d9babeb2d106eaed953f97b1413b3c51

SHA512
d7e9ed2a545bc02a7c4340bed4cb55b3fa97a0b814b1e0176318d4c5dc9227137a7c887b4ec75c5fbcb1e6bc6e6962f0c4b7f0b350fe57e57949f451058c7725

Download Submit
memory/128-0-0x00007FF9CFC13000-0x00007FF9CFC15000-memory.dmp

Filesize
8KB

Download
memory/128-75-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

Filesize
10.8MB

Download
memory/128-55-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

Filesize
10.8MB

Download
memory/128-44-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

Filesize
10.8MB

Download
memory/128-43-0x00007FF9CFC13000-0x00007FF9CFC15000-memory.dmp

Filesize
8KB

Download
memory/128-94-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

Filesize
10.8MB

Download
memory/128-13-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

Filesize
10.8MB

Download
memory/128-12-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

Filesize
10.8MB

Download
memory/128-4-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

Filesize
10.8MB

Download
memory/128-1-0x0000000000660000-0x00000000006EC000-memory.dmp

Filesize
560KB

Download
memory/4628-191-0x0000000000860000-0x000000000086E000-memory.dmp

Filesize
56KB

Download