chaos | e505fe2a77857ac94c657999533631289dc76a1c62c73169232dfcd7a25990a9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Yashma ransomware builder v1.2.exe
Size

826KB
MD5

20a7eea3f65edd41df1e3bbce7d2b674
SHA1

44a9d957a24ab0e9f2066e9dfc4da8f9d46f0025
SHA256

e505fe2a77857ac94c657999533631289dc76a1c62c73169232dfcd7a25990a9
SHA512

bf3189616f1ed3ca3059fdbb9ea72c38a2e32804b0c5919f058d0798b928c4fd1ce3d015a4366c3f689bcfaa10d2f1fcd3a169c9e3ec6a68f4abdc47ef386fb0
SSDEEP

6144:pMPUfXnG2omFLhFLuFL6FL6aGMVFLQYFWD/:pL3GcQZ

Score

10^/10

chaos discovery persistence ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

resource	yara_rule
behavioral2/memory/4728-1-0x000001F199D80000-0x000001F199E54000-memory.dmp	family_chaos
behavioral2/files/0x0007000000023cd4-18.dat	family_chaos
behavioral2/files/0x0007000000023cda-198.dat	family_chaos
behavioral2/memory/3036-200-0x0000000000E00000-0x0000000000E0E000-memory.dmp	family_chaos

Chaos family
chaos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	rr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	rr.exe
1484	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Yashma ransomware builder v1.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f9e9b8759918db018c888aa0a418db018c888aa0a418db0114000000	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Yashma ransomware builder v1.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Yashma ransomware builder v1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Yashma ransomware builder v1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5916	NOTEPAD.EXE
6044	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
2256	msedge.exe
2256	msedge.exe
4008	msedge.exe
4008	msedge.exe
4944	identity_helper.exe
4944	identity_helper.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
3036	rr.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe
1484	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5244	msedge.exe
3448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	Yashma ransomware builder v1.2.exe
Token: SeDebugPrivilege	3036	rr.exe
Token: SeDebugPrivilege	1484	svchost.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4728	Yashma ransomware builder v1.2.exe
4728	Yashma ransomware builder v1.2.exe
5244	msedge.exe
5732	msedge.exe
5732	msedge.exe
5732	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 1124	4728	Yashma ransomware builder v1.2.exe	90
PID 4728 wrote to memory of 1124	4728	Yashma ransomware builder v1.2.exe	90
PID 1124 wrote to memory of 3164	1124	csc.exe	92
PID 1124 wrote to memory of 3164	1124	csc.exe	92
PID 4008 wrote to memory of 1424	4008	msedge.exe	96
PID 4008 wrote to memory of 1424	4008	msedge.exe	96
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 316	4008	msedge.exe	97
PID 4008 wrote to memory of 2256	4008	msedge.exe	98
PID 4008 wrote to memory of 2256	4008	msedge.exe	98
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99
PID 4008 wrote to memory of 2360	4008	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\Yashma ransomware builder v1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Yashma ransomware builder v1.2.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ds3hqe2c\ds3hqe2c.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AF5.tmp" "c:\Users\Admin\Desktop\CSC97E304D2DF6A4B9A9BED63990734180.TMP"
    3⤵
    PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc285446f8,0x7ffc28544708,0x7ffc28544718
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14237774068925795421,2315979160830019582,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1364 /prefetch:2
  2⤵
  PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

C:\Users\Admin\Desktop\rr.exe
"C:\Users\Admin\Desktop\rr.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\read_it.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\read_it.txt

Filesize
545B

MD5
4e1993884856220831094e32752cc523

SHA1
b69a2d07fab91e6f0ec1215579aa94bd6c0b82e8

SHA256
e0c71e46f0573d3cce826cbbf67dc2552db72e8b4cd56636645ad0c5c54923f7

SHA512
2f5403bdd9b2fab06109cfddcc77df4be45c30f30d24879a303858eddcdb86b9de5b1f46907cdf04db577c4f35380d7003de42b93e349dfc6cd53f66a3dc4959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rr.exe.log

Filesize
660B

MD5
1c5e1d0ff3381486370760b0f2eb656b

SHA1
f9df6be8804ef611063f1ff277e323b1215372de

SHA256
f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

SHA512
78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6d0077a49ed3fb12c4ae2c8c6e2fa9dc

SHA1
c8565c77dfcc395110fe0859615fc5b606134d2e

SHA256
d91b3fd6750513ec41f26d1bceeb20bf461800777430b066fcd365e180609eb3

SHA512
75274fe02647e980edee5adbb88dd19f768f6172494f3d7a07c97fdf42c03739e136167e1957d9f1cd1bcac4d476db6f6d4ff23bd86e936d7583a6fdf7e2212c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dae235e055c4ffea01c8b13841d3b1c3

SHA1
b668190e9763362cd33c2f35f0e5fd700ee83aa9

SHA256
e7cbf9de92acc6a71456b68a992b24f7f266fcabf3222b3510910cb75cf8a85f

SHA512
1e42cb23504e47e8a2bd842e7ddc735e70e4b2fe8e214356af9cae576e2390d55e438af9a8a7641a4041fceaa79215ccacb14ad0650ed066ac9268608bc0a52d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
209B

MD5
c4b38ca7ca6f6fbe84cd8f7e8d2132ec

SHA1
9332b91227f7a9c27dc43204ee3ef0679b55dbca

SHA256
0a0bfea5c85677477d0476e464b090fb03b5a6635762ccfa63417d5295b83f77

SHA512
e469614b3313007e81bb72044ad9dfab508c6c05b83b0c1ac586f30d9dd34e3683815543dfb927dd425f8349f8c540a1478fa15dea021f440634def83f42c9c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7a7ba1916411cb1b27bf2e72c3aaff30

SHA1
d622d200661ac77e8e460ee5491c504863ef3ae7

SHA256
96605a6a3262f83cb7fce5a8b6fbf9d348f5b58422cc43bea46abe7e14cafbb9

SHA512
bffaed538afe01acf4d1d66a67cb0a5c08e53f64c19b967adefef597180e9371efeb73c99ba00ddbec3e6dc39e91c8cb01e0e8745362e949c0fbc3272aad329b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b6e38836584518eb137e0ce7d6e9046a

SHA1
a18a3a903cf199529638a812abe46752354ad449

SHA256
fc96db9871b5e39456a0b0c9672ceeb3088cbc1d58f5ba71126fc6ae40baea1e

SHA512
d8732ffec5e2be8dfb7e9dc331586a686f37800046a1d51a04d245d411c9eec2513b4bd94bb04f345e3c6cb3e3182f39fc5cf1cddc275ea8214854e1fea57cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9ca6e8b406b7aae5909b65afecb9a2c8

SHA1
c08c39e72ab27295a6558742f87cb34b62eafc60

SHA256
6dac58deb07b290bd3be361dde234e761bd71b7035842e78ab835c0d2667a3da

SHA512
8cd7393ef96f21b52e72527100a1420e095a70b8aea49d5e08e430233be161b608e9e069043892a20523a3536fbf256761b21a0c4381d8589f07b1f4b0ac712f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
59ab5593806a0434129b4ccde3eb3d5d

SHA1
d9f3cdba983c680620314f10b35c1e8aee3c7801

SHA256
164842bcc73016195a21740659c83ce8952c867872067822e0752230e19093b3

SHA512
1c5a20d124e959e2f65034208d5a85876d779bfc823c6986a956857e9d05acd99620a8155206d0a751fc51fea0e79af77c2008a24b1c74b6189c1795b00f89c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ff563478e9ad7a0f3619f9438a59a95d

SHA1
e68cb5e16d5dc0093f592a2015ba4cd26bfe8c2f

SHA256
1e1d35a17b0fcc767642b628ee93eaaf3f2e70a04bdc23f2220ab933eabe4d45

SHA512
8522087f97101cfeced34b95b5e94cf63d34c85f0c110c2fa82723faec5decae337059b731609f312ae3139851208baad3c4569ac1ff107c5d51fec9a891592c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a8d89639399e27f80913211816f32a87

SHA1
fd6efe1a30248549f68b139867924aa3b37711d6

SHA256
20299e147051ed89ddccd3e65f3caa14101c7d8ca5bc9b80c4a645e3fbb579c0

SHA512
90053688281a19af87fccd4579e2ebc56e1326c9e552d6b64aeb63e440c2b42c1dea6a9d67bfd0cd8b5cb6e1947f1d96e28a58b534985e1e02f80e462b85a827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae1f4d09112ab1e1bfd6e180a73b47af

SHA1
98ce8ddf351d1ede07b7c3e46b6236899ba64d5a

SHA256
0b9da540c06975ca5df8990613d45ebdc63975c966aaa32dfaf6b7e2ec9d9e7b

SHA512
cdf5ea612af338d0f31cd6ad722cf2884a0cdb5fe8e4b8d6770ba138a72f85e4d07f3cb6b0c6ebbb0908f3f964c268fd5eee03b1efb37014b9903f408e6f1fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dbeb949aab4c34d39ac9d8d9e5980d86

SHA1
464af47a47419c2299788720331e47b40e697c21

SHA256
0ac88d9361c2944f8252d2c9d8ad6ead801a522e4e010c964fb1176e0215612c

SHA512
771353bd332d1584d042406d3b9a8ecbeaa65aa73c17522ae96e61c7489aa9056f652e019e9acb7d5a735b932e15f04960d4d0867165c90f21fb7db5ba03cf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87ce30207a726dac057d20b3646b93f8

SHA1
e0ea960fbe909e353a075f7df993b50ea534d575

SHA256
c1286016e0e6a2412efe8ee0d9daf65a16e3ae990a8de8e0ed7ea673b90ad642

SHA512
addebe2709d0688b54590c8932792e081e0d6b5efac9266f390e783fe95411a46b0f7473e0830a83c74cc387c17d0c73e3c75aadbb9431d246d3806cce06ab83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
239B

MD5
cd485331b9cc60a7365521b524307bc4

SHA1
937c3055df74e2e7693605619d7c63cd9907bedd

SHA256
1c3dde69a29cb56ca659ba22163089dc98601977300e80482ed659fee6d02bbf

SHA512
a8cf0aa87f596c2657a96e2a5f58bccfb7707d7ac0446b24061af01c30907e403e5467bbe3b0bd249fabbef376fa59238021678ba31b8681d202aa3db824de1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
52e3c3aab677abed82a2f0ae56f5db84

SHA1
f061034e52ecb6db0d282ac5a18996d44663cfab

SHA256
f309453c64ff4fb5ac86a4929e398404f18466dc140431e5cb138fcf3f26a19f

SHA512
0da43264e9a6677c01a1a3121d22992b1eb2c87ce485da99ee9f6bb8128a43426d8f20c25ce513e26e517e0f701ad7eb08e18b9f769797ac34beb6d3ac2f3685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59fc38.TMP

Filesize
1KB

MD5
61c29a8ece4fcfc4bcbfd0b52c5bf87d

SHA1
6e371998c36187e9b368c452b283948b6ca60acd

SHA256
3e0036e31afb9cb8a1130a30672e7485410d219b8c0828a8adffd7b283d1d96e

SHA512
bc49c0f62270e238599fb8a955e5730471277556ffba04684ea33cdd32d235e5c9f74f86298bb6607f314f1cb3a01eac806928c4beb882bfb2740b5bf362ad64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
e936f0ee56fb650651707cd33f7b2073

SHA1
d5f8d8da60238b40e4fc61b5d7fb09253f32a002

SHA256
729fbc23d69f283ab970e78ceb86b3a92c7eb5709feb29d2ba17dc3f71a64e72

SHA512
0453b0aaec97a2349c536794f3ca73301dd4d7c18df888140dc283352319d6d092354e528f2c80ffbfa7c3fef38fe64ac42e94451992f1ebba2514688a41b753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
531B

MD5
d06240a39f21dbef376ca5b3a8e1d4b8

SHA1
a5c481850c7fb3b6eb3eabaa107514179eb93683

SHA256
79784efc4c64534e155c18eae7b2c1f0289926a0a9dec218845df83520587819

SHA512
d2a5a25bc59404140a808c3ac9c90851bea952f7bd229c0150963dfdb6e4e5399c20ec3a5d9f820556ba579b8fe7473834c306e06599e84a5403a7923dae2641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d2c724c4e27082d7e3505a2d1c4317e

SHA1
0a1409a939eca9294b8bcf84318e544aa3cb19be

SHA256
5689cda5341f5c14af5c7e83e43c0f3483a0c075426f70116f88f68f6469c2a9

SHA512
782271f8d677391da83f1dd55855faa18b1be28f75515562a9449a6b3fe613f8e618fde715cbc9ea69515ec3ca5d1e95c6ee555a4458698443b44b018f3ba94a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
25a9c2b7e955f9e9e42902e67601a168

SHA1
86a93bef10c5b8521136e42174fcd54823625483

SHA256
5a6f04cbacf86120995db3d500d2b4953a82839bccbf3ed78833236e679db923

SHA512
c827d2b4e8a1db68fce1bb82a1876ea4c253aec5e90ed6b203726ad7b7740b0ca724f3fdcf98c468a56ea52b20ff9ccdc8579174f9089ec896c38ce15075a400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3d25ec2ac6f44f158d6aae1124b017c6

SHA1
624dd23f55058e0890695901d7821f46a30914da

SHA256
4fc895cad8a35999b6b744ae547acdaed0f705919a3eeb61d334ff41a95320b3

SHA512
2d8a8e905a5099da1cdc5f07fc82e09ed8d403f88ae76d2e04b899e9de20d55d02a74cab4b1ef5aa6960e237d1ee460a32780bb8453702b7fde59a8fefe7d276

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1AF5.tmp

Filesize
1KB

MD5
e59e33f12d176341883b3d2d130defd8

SHA1
9550994e56e5b3d1f385ba76726b0ecd7a9ba3f4

SHA256
8d342c8217d66f596aa99129c312d11678d6292e124c84f6b0614e46853a0b83

SHA512
11c15829965ec9235b26665b818a439761925790a4c2df010acb3434049368aab3e3cedf149e21a5bf178ec40bcf40da4652b828c49b1d8f0cbd45e2a74b883d

Download Submit
C:\Users\Admin\Desktop\DisconnectCheckpoint.docx.327a

Filesize
21KB

MD5
eff510c248a2c75a9300f8f518b7d134

SHA1
b613b582bc0a2983fe9bb6b9b66165d588a691b0

SHA256
a7b68215448dc969ddfc5d9ee9275e7fa1be3179eebe2f85b7dbeb043c4bdcab

SHA512
26dabc288bee99046d29b43d32d5c4a8567e3f548eb1a72ea75e7b9d402232205ac1e7f2c9ec836d5a93ecb459f0e99f2f09e157f00b05dd9c3bc1dc9f5aa62c

Download Submit
C:\Users\Admin\Desktop\rr.exe

Filesize
27KB

MD5
b50e6d34397790ddbb42ceaa5ce0185a

SHA1
de58bba965b512fbdcea8a42e4ebb1f39391b9d8

SHA256
46ffb81d9e65db5052845183904101151789d4ca41b3e0da71ec734cd4796e85

SHA512
0e260acdb23ac43fe001c6662acbbdef523fe93afdb99eceaf7070618757d6cb167236b6d7bcfc0f2eab976ba2dc40a0a5f60c51e9428ef563a44390a778fb8b

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ds3hqe2c\ds3hqe2c.0.cs

Filesize
38KB

MD5
b561ffaa9523836695ad76eb42f38608

SHA1
4ecfcceb2b4192ffaf72f932c2d3a005faea0c13

SHA256
11d77a2ec2725ed7460e62a8f0d6468575d78a29198810c8858e0a68d0cd0a2a

SHA512
265f95f0a9103655b721764f98ca8474324fc94d3d236134df7aa9999ce962ba664db85190cdd6339052d6da89573f58d2090778da6f4cc140e2779ba227a544

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ds3hqe2c\ds3hqe2c.cmdline

Filesize
384B

MD5
632d56e189cdf99139bd089d5f85e1c1

SHA1
f264930be17f818c715fdc4645aa589bbb81f41b

SHA256
81360f07838006ac888033ed2845e44f30c8f7c90e579c9fcfe9f152cf9f8293

SHA512
6871b55e9b4c63f7c81e52c1b68421bab989fc70b4510791feb5b2268922c1749f2dfa9bd3cb5805fc624df37c2c0467e501a082ce214d36062406b28262b61d

Download Submit
\??\c:\Users\Admin\Desktop\CSC97E304D2DF6A4B9A9BED63990734180.TMP

Filesize
1KB

MD5
ddeeca99a829b578f95965150eeb8536

SHA1
ef6107718f9ed301922664a90a1fc06a3c936c39

SHA256
456bfa6eee1badc36b188967d56a0d1ba0196723d074b51a272f2e5b320c198d

SHA512
56b8bfb2aadb7f6c5eb58d4c513d4b769378ab21914ba5b0839a8b375a803972d64ad51e44f21746c70f6dffde92c8382556c2c9329bfe640852e7d2777c3e91

Download Submit
memory/3036-200-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/4728-12-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4728-13-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4728-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/4728-7-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4728-6-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/4728-5-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4728-4-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4728-3-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4728-2-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4728-1-0x000001F199D80000-0x000001F199E54000-memory.dmp

Filesize
848KB

Download