mafiaware666 | 096ef1633a1e4b28ea46406a6324998b5f4dc59f6596c3dfbe7d6ee403186733

Analysis

max time kernel
239s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skull.exe
Size

1.3MB
MD5

3dce90e3a6daa8810d0dec78fd960e7d
SHA1

d44f4aa742092f33ec60264e15f09fd127a7bb87
SHA256

096ef1633a1e4b28ea46406a6324998b5f4dc59f6596c3dfbe7d6ee403186733
SHA512

bd68ff08882a61bbc4d51ca4ae2e055e20db853c79f6ea0dd5867e673af38785ddc4f992c1891ecf6d658bba89556b23797d708f3d7ca1da1eb4332f9a2ea84c
SSDEEP

24576:RTSTiRsBE12BIVpT2QhYpAILUo/g9QZqpMC3QVbIoTdWR8SfEuGujqZF13z8H81:RT7RseZDT2tSbvQsIbe8YVjPH81

Score

10^/10

mafiaware666 discovery ransomware

Malware Config

Signatures

Detect MafiaWare666 ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/4208-1-0x0000000000670000-0x00000000007C2000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666
Mafiaware666 family
mafiaware666
Renames multiple (115) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	skull.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	skull.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	skull.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	skull.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	skull.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skull.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133829719904575237"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1852	NOTEPAD.EXE
3948	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1296	chrome.exe
1296	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe
Token: SeShutdownPrivilege	1296	chrome.exe
Token: SeCreatePagefilePrivilege	1296	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe
1296	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4260	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 3460	1296	chrome.exe	97
PID 1296 wrote to memory of 3460	1296	chrome.exe	97
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 1508	1296	chrome.exe	98
PID 1296 wrote to memory of 4016	1296	chrome.exe	99
PID 1296 wrote to memory of 4016	1296	chrome.exe	99
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100
PID 1296 wrote to memory of 1468	1296	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\skull.exe
"C:\Users\Admin\AppData\Local\Temp\skull.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd7225cc40,0x7ffd7225cc4c,0x7ffd7225cc58
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4520,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4956,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3340,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5260,i,16167259649131898973,11098131411195702618,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3220

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3948

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7fcb961f-238b-4804-8f4a-bac0b21d62b4.tmp

Filesize
243KB

MD5
70b15cb3ad0ad3be9fc22d0a8542284e

SHA1
bc97b140246b9bbab9d07537cb1f08fd819740bc

SHA256
6956bd052eec4541d0ce4e39252fa0e43b37d00cafe843e87307ccf505f48845

SHA512
4f4b36f0dbb0f56e903256b16e8729c4fc2d90573b8a2a2d5c5ebe89d6bb232e7255033833de227b7b06a13deeb938e53750d869239c45c388b25f639618d3d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
803875f3119ad168088f57828c07d4a4

SHA1
74f20960bc7f4107d6b47b4ed3df1ed3e8c00d2f

SHA256
f695eb7f778c845f2e16d58adc2b9b1a1e51aaaaf4cf7af21367b3719bec50a1

SHA512
fbdbf52e9131f186721a1d0d06231a0ee19dee24d22e282ec3e38c1da580fd6c9a426270386fc3f8c58df4408f392681c7cfa7e6eaf314f5cd5de6e9c42fe734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8e2197c3-323c-4252-a04d-221381c5f6e5.tmp

Filesize
8KB

MD5
7af10cfc0f3bdb0e981ae5a6cc5ef656

SHA1
2ff92418941268a0e9b7a52f07bee107c125d8b5

SHA256
74cf193068b70eb9be916f070ccba79e1e833fe3cdf5d7f5aabc8c84bf7da799

SHA512
1f07ce1458ac7a0ce6a29cd9cb62e6edacf4f4ee4a48094e4be93a64f506a4722708507d19accbbb7ea497b17377cb01a4d563cdc86337aef8b3dc935e5c1679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
59e7855425ddc6e9f459885813084651

SHA1
5ce033061ae276d4c73414be11bfad9378b82ff9

SHA256
ec857720a7f3708968b2a212cfc7d527aa1aac1b699f1630d2a5eb11eceba1ac

SHA512
24da94e4e2fa9b68ef02e803c2ec0d3b1cc1b81d9fe309a49c548d9a497785b16c395f89c2aa8b4d7cc75131c73be0bf90fb82dfe50471a978b25d38023be0e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
26425621fb42f2faf7a2007b0d5b2a5a

SHA1
556d9a71bdb557a57e5d4d0e6f85feaf4bf543fe

SHA256
3f7e3b962e51155885daa0df963d444eb46d774a8354208fe4b45e58b0a38887

SHA512
1945c1a72d1dfe9239a2b385d798cd35743ec5b35746a017e9bc0828f42d31b423e5c0747b576b22501f1886191a779377292115d53c32c2086b36e7f6cd1956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cd0c347992e77769e345b9e8651a6ee5

SHA1
c599d63bf40fe7d6c3827e01dd463df731b62174

SHA256
2a41951c50cb8cfdc7024f06e90572653ed90e9260065cce78f231e9a8cb5058

SHA512
d0553e6846b23cd01439533a15fdb5257d81bec18e6086468eb28da3c0a874547284b06b70d5cb09dbf0ee112ea5ec687e63ca09e8c4a2e26bde3ce16f76ee10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b1a35967dd5ca7b10341c149a2c20699

SHA1
f81e948af0b75498672c187ede83a9270e5ebcac

SHA256
c53bdf0911b7b86553dbc45aef9c657ae6726d83688270a86e8e1ff6aba85c79

SHA512
fbce184417a9d7ebc160f56e9d39e5bb4a31831b5204c86e0405e9dca2403373f6a40f67cee3eed911e33da8bced9babe009fb6189b4b6e52d4aeb91b7deb898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6b574702f2ad8ae6ed313a47a2945838

SHA1
162ec669cb93bae882dc9a7842fcbe0845ef04e9

SHA256
c15c0721c634cec7d689b99e4a2b3978462a988248dbe66de1eb47043d50e388

SHA512
9adca51a3a1d2d7e675f017548b6a48efa5c83b57ddb2bd84bf61c2d304f66475b917b5517685986e06b70fb8b0a2a0e093de0f10665c2ddba830125cbf89b8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
abd24698f0bed8d4bb4a40c0242bfa3d

SHA1
68da4e3307fb5bfc9e244bb10cb57a086e47746c

SHA256
c31b662b550a2946daa03059ee6bce45aefc75f756f73272cb8e0a0db563f349

SHA512
4e2e7ece932a5d2ce90a193ae46d903a71fea94638c0494b3cc6041f945e698d9ada355875d7a130890c3f5e493555c04b7258229a68af9366c662ad416def1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
a8d64b7fde63e4309cca158991433b6b

SHA1
5e7697a532ee8cbfead6b99d577ff501681e1ef5

SHA256
678eef8b8e1963bc87829d53a28e0cd6589a12f40721b364a25ec8de307d6bfc

SHA512
3104a1a3977e1ae3cbcb81cdb5f15552818af5d7e8927eaae985d00993588fff0c89cdc3704b6d8cc1a49c56dbd7fa79e46b04933f5daef2583d02352e63eedd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
9a65e5540b81d5332b24e4c4e800ecee

SHA1
249a457c6791043c335d207bbfa0bd0a20871313

SHA256
79e80a4e067eee742355bf31c0f78e375252364c79aa063c01a4b1c73379c4c8

SHA512
79640020b515e5475b42da977272a1c9f7f02c5ec0899cfd94bdd1c07d0d3a68a0ccebf53fa4d48785a372cac14ce95b2e353a97140306aaab4a55f197ddc884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
7267c269144b447588faec3645eb1017

SHA1
03c4eb64263173bc51d2fb66a38dbf8816492ad3

SHA256
7e8c1f5f5ce734eebcb3206cbb9bb76b9cec3d5a45f65085346f10f9181f7a71

SHA512
6e54e6ce9eb90f542e09f43e8a6fb58de89dedfcc565215cdf96ba460a474011a18607bfa24a3e4c1bb80f4e8b5ab5975caeb0cc50fc26ac764f10f86b724d1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
776c2a17ccc357f362feb511f29f39f2

SHA1
7ae9568f0819b850160ed2d1aa6530736cec8533

SHA256
f0d7297cd6525f92221ce9db767c80304a0b134fbfdf4c87e4d0e2885b30a8c9

SHA512
f25db5a0f233a4372086a3704799de9a3f63e38cab78fd20e17c5af3103e45a105f78a2a723db0ab99d9cf62b48295e1f13a4d307922b07463e5ee402c2565f9

Download Submit
C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt

Filesize
4KB

MD5
7afe47af401fd1a6652ebb4cebce8548

SHA1
38bf72f4819437b01491729818f765252cf2e0cf

SHA256
ad7429a3374ad1904e848d19c8220bfd0842eca351d0029e14d1f5e51645aab1

SHA512
772716495e87fce33ad0bcccd843721d420973200a3e41e893a1de36a7316d420622bba8734a7723215ba0ae8d95ada0f2d4d119ec456823432e09e4089441ea

Download Submit
memory/4208-6-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4208-25-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/4208-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/4208-29-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4208-5-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4208-4-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/4208-3-0x0000000005240000-0x00000000052D2000-memory.dmp

Filesize
584KB

Download
memory/4208-2-0x00000000057F0000-0x0000000005D94000-memory.dmp

Filesize
5.6MB

Download
memory/4208-1-0x0000000000670000-0x00000000007C2000-memory.dmp

Filesize
1.3MB

Download
memory/4208-32-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/4208-127-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download