Analysis
-
max time kernel
686s -
max time network
681s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 10:12
Static task
static1
Behavioral task
behavioral1
Sample
elmo.png
Resource
win10v2004-20240226-en
General
-
Target
elmo.png
-
Size
58KB
-
MD5
22db694f32128e27a1e1a03512057096
-
SHA1
2423ae25333ec4454cbcd807cb1eef188aa6d2ff
-
SHA256
b90d8effccd1bcfafd2efcfd786aeaf1babd741e2a0a8fbe9e0f981f66066bcc
-
SHA512
3554c9a4bf2f9efb5244b891f8c0e774e36a6ab6cc4f33a1c099412d72fd37d77f348d8e4d740da0473c53c8f05318b560ddf6844afdb7cdb52a22887a3ec011
-
SSDEEP
1536:ECybInfrx+GWbCJQZKUmZKuvOkyBlPU0Foj5EP6ddtyBxf:ENInfQGEITKu2rXPUfUayTf
Malware Config
Extracted
C:\Users\Admin\Desktop\aint no way boy.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe family_chaos behavioral1/memory/3244-428-0x00000000005F0000-0x000000000067E000-memory.dmp family_chaos \??\c:\Users\Admin\AppData\Local\Temp\grwbmh3j\grwbmh3j.0.cs family_chaos C:\Users\Admin\Pictures\MinecraftInstaller.exe family_chaos behavioral1/memory/6076-891-0x0000000000C90000-0x0000000000CAC000-memory.dmp family_chaos \??\c:\Users\Admin\AppData\Local\Temp\3uinpxj5\3uinpxj5.0.cs family_chaos C:\Users\Admin\Pictures\MinecraftInstaller.exe family_chaos behavioral1/memory/908-1026-0x0000000000660000-0x000000000067C000-memory.dmp family_chaos -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation MinecraftInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation MinecraftInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation MinecraftInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation MinecraftInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation MinecraftInstaller.exe -
Drops startup file 3 IoCs
Processes:
MinecraftInstaller.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MinecraftInstaller.url MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini MinecraftInstaller.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aint no way boy.txt MinecraftInstaller.exe -
Executes dropped EXE 10 IoCs
Processes:
Chaos Ransomware Builder v4 Cleaned.exeChaos Ransomware Builderv4.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exepid process 3584 Chaos Ransomware Builder v4 Cleaned.exe 3244 Chaos Ransomware Builderv4.exe 6076 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 908 MinecraftInstaller.exe 1344 MinecraftInstaller.exe 4832 MinecraftInstaller.exe 3936 MinecraftInstaller.exe 2064 MinecraftInstaller.exe 1488 MinecraftInstaller.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
MinecraftInstaller.exedescription ioc process File opened for modification C:\Users\Admin\Videos\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Public\Pictures\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Searches\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Public\Videos\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Documents\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini MinecraftInstaller.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Public\Music\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Public\Desktop\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Links\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Public\Documents\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\Music\desktop.ini MinecraftInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini MinecraftInstaller.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
MinecraftInstaller.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vfosorsph.jpg" MinecraftInstaller.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
Processes:
Chaos Ransomware Builderv4.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByDirection = "1" Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Chaos Ransomware Builderv4.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" msedge.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\IconSize = "16" Chaos Ransomware Builderv4.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000db89bb4ac668da019076314cc668da012206654dc668da0114000000 Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000030000000200000001000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616257" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78} Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builderv4.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Chaos Ransomware Builderv4.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1" Chaos Ransomware Builderv4.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" Chaos Ransomware Builderv4.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Music" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000 Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\LogicalViewMode = "1" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:PID = "0" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1" Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Chaos Ransomware Builderv4.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Pictures" Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\NodeSlot = "5" Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\MRUListEx = ffffffff Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80d43aad2469a5304598e1ab02f9417aa80000 Chaos Ransomware Builderv4.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builderv4.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} msedge.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4 Chaos Ransomware Builderv4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" Chaos Ransomware Builderv4.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
MinecraftInstaller.exepid process 4900 MinecraftInstaller.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe7zFM.exemsedge.exemsedge.exemsedge.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exepid process 3500 msedge.exe 3500 msedge.exe 2392 msedge.exe 2392 msedge.exe 5776 identity_helper.exe 5776 identity_helper.exe 5312 msedge.exe 5312 msedge.exe 5192 msedge.exe 5192 msedge.exe 3928 msedge.exe 3928 msedge.exe 5624 7zFM.exe 5624 7zFM.exe 2024 msedge.exe 2024 msedge.exe 2024 msedge.exe 2024 msedge.exe 4812 msedge.exe 4812 msedge.exe 5904 msedge.exe 5904 msedge.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 6076 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 4900 MinecraftInstaller.exe 908 MinecraftInstaller.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
7zFM.exeChaos Ransomware Builderv4.exepid process 5624 7zFM.exe 3244 Chaos Ransomware Builderv4.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
Processes:
msedge.exepid process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
7zFM.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exeMinecraftInstaller.exedescription pid process Token: SeRestorePrivilege 5624 7zFM.exe Token: 35 5624 7zFM.exe Token: SeSecurityPrivilege 5624 7zFM.exe Token: SeSecurityPrivilege 5624 7zFM.exe Token: SeSecurityPrivilege 5624 7zFM.exe Token: SeDebugPrivilege 6076 MinecraftInstaller.exe Token: SeDebugPrivilege 4900 MinecraftInstaller.exe Token: SeDebugPrivilege 908 MinecraftInstaller.exe Token: SeDebugPrivilege 1344 MinecraftInstaller.exe Token: SeDebugPrivilege 4832 MinecraftInstaller.exe Token: SeDebugPrivilege 3936 MinecraftInstaller.exe Token: SeDebugPrivilege 2064 MinecraftInstaller.exe Token: SeDebugPrivilege 1488 MinecraftInstaller.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
Processes:
msedge.exe7zFM.exepid process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 5624 7zFM.exe 5624 7zFM.exe 5624 7zFM.exe 5624 7zFM.exe 5624 7zFM.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
Chaos Ransomware Builder v4 Cleaned.exeChaos Ransomware Builderv4.exemsedge.exeSnippingTool.exepid process 3584 Chaos Ransomware Builder v4 Cleaned.exe 3584 Chaos Ransomware Builder v4 Cleaned.exe 3244 Chaos Ransomware Builderv4.exe 4812 msedge.exe 3244 Chaos Ransomware Builderv4.exe 3244 Chaos Ransomware Builderv4.exe 3244 Chaos Ransomware Builderv4.exe 3244 Chaos Ransomware Builderv4.exe 3244 Chaos Ransomware Builderv4.exe 3244 Chaos Ransomware Builderv4.exe 4524 SnippingTool.exe 3244 Chaos Ransomware Builderv4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2392 wrote to memory of 4032 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 4032 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1092 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3500 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3500 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 1180 2392 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\elmo.png1⤵PID:2836
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb087f46f8,0x7ffb087f4708,0x7ffb087f47182⤵PID:4032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:1092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:82⤵PID:1180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:2732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:2084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:12⤵PID:5428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:5436
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:82⤵PID:5760
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5776 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:5896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵PID:4292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4796 /prefetch:82⤵PID:5320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:5760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:6044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵PID:6052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:4892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:5372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:3216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵PID:5996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6076 /prefetch:82⤵PID:3220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵PID:6040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:12⤵PID:5916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Chaos_Ransomware_Builder_v4_Cleaned.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\7zO8F52EC28\Chaos Ransomware Builder v4 Cleaned.exe"C:\Users\Admin\AppData\Local\Temp\7zO8F52EC28\Chaos Ransomware Builder v4 Cleaned.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe"C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3244 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\grwbmh3j\grwbmh3j.cmdline"4⤵PID:4884
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC139.tmp" "c:\Users\Admin\Pictures\CSC3DF7B0E8E3EE478C98A1594E3E981E45.TMP"5⤵PID:4676
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3uinpxj5\3uinpxj5.cmdline"4⤵PID:4240
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FF4.tmp" "c:\Users\Admin\Pictures\CSCA50A54B8203B4C46B34B72C0B0945D70.TMP"5⤵PID:2524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵PID:3936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:12⤵PID:5248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:12⤵PID:5660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:12⤵PID:1864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:12⤵PID:3956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7128 /prefetch:82⤵PID:5756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵PID:840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6816 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5904 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:12⤵PID:4336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=7056 /prefetch:82⤵PID:612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:12⤵PID:2620
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4652
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5136
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\b6d0f823f4524eb0a75fdb44f0a55b30 /t 1940 /p 35841⤵PID:5356
-
C:\Windows\system32\SnippingTool.exe"C:\Windows\system32\SnippingTool.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:4524
-
C:\Users\Admin\Pictures\MinecraftInstaller.exe"C:\Users\Admin\Pictures\MinecraftInstaller.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6076 -
C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\aint no way boy.txt3⤵PID:2320
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\aint no way boy.txt1⤵PID:2428
-
C:\Users\Admin\Pictures\MinecraftInstaller.exe"C:\Users\Admin\Pictures\MinecraftInstaller.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
C:\Users\Admin\Pictures\MinecraftInstaller.exe"C:\Users\Admin\Pictures\MinecraftInstaller.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
C:\Users\Admin\Pictures\MinecraftInstaller.exe"C:\Users\Admin\Pictures\MinecraftInstaller.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD588a552e6be1ac3978c49143983276b3a
SHA1dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423
SHA256927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5
SHA512125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a
-
Filesize
32KB
MD53baf7c2e036abf00bf52d8e4a918e970
SHA10eb5406e14050dc41227ba74b64a38da778fe5d6
SHA256d30dcb199ca26a9664a46c01b4eccb26f5b8682f04480d0a9d2beffab7d0a049
SHA512c12875c0e5085f534496ca9f1f43bc4d5097f6d4d969f70ad1651bf01bdd4e9f5e27c93413ef0589c06c647c0a22d8c4b7a2ffbda2fe61bdeb84657f53a6a429
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.1MB
MD5a08bc7e7f24349a9b16da33a6c833580
SHA1b214e57a3beed9983e30b3e1ae49df021952ee82
SHA2569b045fd77395370e218f74c0dddb8106bd1bcb52163de80b1e51a7691fe7297d
SHA51224853c38f38f0472867db8e42c34397b616926b2ffc2aed7d40354de736fd5723e5a04e6a11b0aecfe0c937f8952d14ffc9c417a51d04d72139675e0415b55e3
-
Filesize
22KB
MD56b829170538722adf52f4790d82253e4
SHA1ad496b99fb5dded45764aec3eb3f46da632e5d05
SHA2563133a600874b096bb0213f01817ce293f5b3fba6539c75bf2853f897b6c924b0
SHA512b3de073f7ce4846366e5b42854fa43be35a4f607575e0f43845d93c6526c363b078ba855a41dfb7442097cf133f93f012162b8afda754faf135a25daaf0500e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5f470e4a38c090236fd462eb472150dc7
SHA198111aac21fc88340b133074ace67627acc95ec8
SHA256c1e712077af0e164d93ebc44786ba6083043d1668894cf822872a394584a10f7
SHA51223563fd0a8c8ce410341d6ec66b63a3b6ab4e6e1e5f9bba19513a38d9e0ca9c61627088cbe38d32414612314802360182cbe240f836f106da4ff771f0bffa7f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5b4a2d08c828e7efd9c00c35901429cdf
SHA1ce312898a287878ed327889d9daa505f3938adaf
SHA256ddf6b9a76dee0cb6a68af354e98dd6f5bc8c477a006674b4cdc838f015771b3e
SHA512d7c362528624b1c30d9d09d4a6949a703548b7c64822e0a013ba91de5a49b3276460f16db9d1d8cf637019777248f5bd46ffc0bb3c74541a3b51ca3bccb18750
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD5fc0159046d72145b10c9477201a98747
SHA1fd1d82ce106a8337066a51b7d06d5caff19db5dc
SHA2564d4be3dfed414eeb9a43b665976643dc3270f345d956b06cc1e3d5b86d7c5f23
SHA51270c788dbf076113f17d40681e5282ffce61858f1e042c196685b70f23d68b03e9f303a994693add346bd1e95b26961e29c7988af605dc53a01b70c3058d54616
-
Filesize
1KB
MD5b9832e87f87f3f303a8c8271c7f496b1
SHA11f7588a5affa3c6574cabe2ce3144390b010abed
SHA2565fae7250c485242a47ed521493070f4c8dad7bdcdceef5d1941f7743f9b2b882
SHA512fd68c2f381161c7586bd0b0d48da6ceccc67c0d3dcb2ea08d0de1b88934befb727ff2045848bd2aed8ddd135b33b6b90358a13a210b3ea5ef4d9ea720b73e246
-
Filesize
1KB
MD58f2ecb59a436e61f3db3bdc4480ce95e
SHA1210b552be23b25b688ae90eaefa1009900fbbc56
SHA256064d344347174558b23089e5d9c46b5d3d2772ec9e4df266802279e43931e96a
SHA512a6218234d23fae92f1dfd9e2b14044b0b834aaff01e99fdbacbe8a1ee55ceae16f00bd1670a7b34f7e3c00892d016f8414c67ae57556b17c489021968e585e9a
-
Filesize
7KB
MD567aa42f2cdb4a26cddf5fcc95d36adb8
SHA1cbf9cf85e5c00711d2db570d0c735673109398af
SHA256f4f77bd9e77b99423e10ae425a2280a1ab5072f04dedfd845f9931e88e8340c4
SHA512228055cd3a2dd12020acd9a531d31957d828d2c90ab43ac164f912664b5a66e21d16356d9d8745842550ccf8fd9a2b48e6f76fa5e2edd277655838c5ecab4610
-
Filesize
6KB
MD525a7aa0272bfd7ac27b4e3e3706d57e6
SHA194ae4f45bc6b6b90d1335d814d1682d3432e0dd2
SHA25606f6e26d62f1fe308cbed0e67d0bd983ea708f0d098a00d83488e16ed0e809a0
SHA51228cf1f53691896aec8a5f5647d03aa617fe85546519378615c06dd9c76ba6ab9dd10a59f8e6655c656116326332061162f1d33bdcb70c4b8870a6e8a2f3139c7
-
Filesize
6KB
MD5e4111db281ef03714e8db1d4d2104602
SHA19a16a1f39700a5908d5877acb6516f2e5fd9b8e4
SHA256b7bceac71b8262276080af1b141ff200016cff33e2afe186419dabd65d028257
SHA512402b18f60d8eb2c3d7acc37a339a3ed9615b10e8656a6b57e2c7a91717767c48dd79400c7b9ac7d54f41673d526b09ef30b7adf86e9670390e7e318139585d6f
-
Filesize
7KB
MD5e7787167b0569801e95913376c9167f1
SHA1a041919e665cb8175666a15ce078873deb729ed5
SHA256c615a6536ad75640bc4fe03843fdc1665f5ac5cf4e9dac7b3f605ca94c14c5d0
SHA512bc295a32c66b3f27e44cd5452f1680aee3b70583ce905dca23dab734752680b66bfe556be2655ed6e89cea0ef854cc95a8d1b824126bc8e4c5867d6a5f1a141f
-
Filesize
7KB
MD50262d871316866955dd1a72ee048fced
SHA149a6319492dc61b4332bc840190c55c1dfe270a7
SHA256d1a1ff2375f20d1567913bcfb0683c862f9dd6b8b57d8ceef7db3afde22ba86d
SHA512026a8b267f388d19e8a820378d114676cea11a44b2fbdbdc733da12b3042950d6075eaa5df37cb19240022092ca8e55c31331bbb033d35522869ce82ee3b39d2
-
Filesize
6KB
MD502f9e490bc68679a35e2c399df812ab0
SHA15bceba38cde0e2eb0b969ef3ca6676c30ba26fce
SHA256691ae41cab7ed33ff4d34be8b368d5bb40783dfd0b90535cf72b9cf7b1da0e35
SHA512447741ffa8ee5bbfaa55efe9ea900e6d0c9da2c3e158e21e5341626589ea8742a7d4012cf4063496a94acb2cbcd2d0f0f045c1af1d215ff3c00a38d94caf7fec
-
Filesize
1KB
MD559c2bf93359b6a507bc6ad773ecf8492
SHA1041661da7b05ad49337484f3fb7f331ce9c58cc5
SHA256459f6808c6a9ef4eee9633a037bb487d93ed7ffddc2f5d7ad73bb4ff7da4f5ac
SHA512d1ee225330061d1c9871a2244bbb105e375c9a316ebf153eb866ad84e95fc817c0bc10e250c32b0af3bf5db38b5ac68d0d25ded996aadde90603a7c579421bdf
-
Filesize
1KB
MD5c2aa0ec18d227cd903dffec52d15a96e
SHA16986125c7447e3e4f59000649928eba4cdb7678f
SHA256d57bcab0897c0a84ecc01d4bbb4396b59b19d8abe801c27c46bc312c791b92dd
SHA5121c37b9f816327b7974a7a8f84b71af8bf0eccbc304a1655c57162289336b5dcd12d3830ce2c9f5467fa8de286ed79e6e109e85305daa7736a369e7394d3185ad
-
Filesize
1KB
MD5819a737cfde7ef365dc87c94cb69a3e8
SHA134ee35372f43c703d98601df33682a26107c4c47
SHA25664ec13ebd10b2e5a5a47b52b95eb5d17a0dfb09014502de632b04032e3096fa3
SHA5120128720eeef98cb92c36ca2dfe79a72213ef5779e225b280b278e9eca3b9a68ae201b4e7f631b40b1e60bc149925b544f8ecc41810a09bb064816b5871c57184
-
Filesize
1KB
MD58281a43ddb17746cf42164d74e32ef85
SHA15b821f02004134091b7889926d5d288ef5766f58
SHA256b5d68e573917094e5dead3921f38a2919343765cf6eb3985e0ca7590b276132e
SHA5127669d70e0ddfc80b8d8c9a4fce85d6f5e2e05aad1f71da80f58f04d3e18b4fd64b9e7c534acb0878dac2381905e822b05dbf0ff2403b7eb9603137d38bb020d1
-
Filesize
536B
MD551edd51dd10613326ef407cc85e3f268
SHA152a071edc90d14f75278abd4c1329f2339a5bcfe
SHA2568d823d93bb440c37c2fde4ad81cfb6b71529bc4a6d9a2a8e0f53fafbec455040
SHA512cef05b85fd4413af81eea610577b0d84b0eb541a864611050c7c96299ef18db73ef2f71eb390398b46d200750ec430b6012e4a91f9e701e1da8a4df488369249
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD519b6e559f14a5ee1047ecfff1ff41d4f
SHA14330274fc8b68e8ab207fb3b0b85e79bd693e10e
SHA256915c3320994666645022b40d654b75d843fd9a3238c47d2be3c9a2b5a1a40b9b
SHA512d9538f96d456845f3e12b78c6c8d73ae97a7ad311805953ac8fc8d61a732ecada6a1e63090daa4390ca3c5420de51900e72caf5498f63a2a593358898b9d9a6b
-
Filesize
11KB
MD540df24184db14a00d04cb228d229e5e0
SHA12ad6158bce5a536518b251205a6af830afde9fe6
SHA256fee416678d7b149a2961b23e22d85ae57063026fdd4a0d41a96a627d8bdfa4e2
SHA5124224b2d797e0d4ad0f3a116f4d3237851a6e4517d14eea2fafae557de7660dc6236e868b23a4931edff5578b9e61a0b77cbe6e24b50a9aeb9f825937936a520d
-
Filesize
12KB
MD5214e3e87e2ef19d54cda4fe55ef815cd
SHA17e512068f67bbf30c364b69406283f0143f722c9
SHA256e3ca78f75268a521f68780ad9e26ce863db01d85c139b2753d9910eaedb3c404
SHA512df3051ffb145268b3abcf5d6145bb61d5caa7c7656cd9da10cc0f16c05bc50d4c4cca30dd2d4c00c21221141b7bb8d8756d5c9f2c891e943bb6dff0314593d6a
-
Filesize
11KB
MD5b1d235387439a4b0693a86d6f2813774
SHA130c9f066d5a9b52c7c4095dba895bc7ae1db1107
SHA2562a494e33f0622c46a0a285a84c940efd220b6b04f645c3a854509bcec3ed6ead
SHA512be7a709503d80feb7c51079d2d52fe6ad2fd9da60477f5ca5226db5505fcd898c399a9e44f8bc2a50583002762e8f92efd36addf21c7bc4c791d184aa0b3972c
-
Filesize
12KB
MD5c005e051c6855f6b8609721f8816d02d
SHA1ccfa1324f466ab9e88d2b419f1bfa5f65fe0ed24
SHA256db235695a5e95814d5f53e7212fa60856f08654410b4ce337e373530672eb8e6
SHA5129a36ce9c40d8a94098bd5b11685b9a393815cafbe77aaa22e5d5eaf5eb67bba23741c5230fcfadb1217837b03af7b5eaa642e192d8157041a7dd91f0e6f53ba4
-
Filesize
345KB
MD530caa962e1ee863f2fcbed2b8e38f207
SHA13ea3d0fdbdf6339756983152df6e3a28d5873a11
SHA256c5004c691b576c3f3899d628176ade9d8c87b7bf6d44d96945b4d1df1254a132
SHA51261ce53a94d0a4695368d33f9e3a1435800b9fd828e7e0c14144a0e45ac3ae7c4b4c04ecf9c5a5b794c2049759dc34df6e23ac39741c98bbd8cf18bda9d1c2a21
-
Filesize
548KB
MD59a44537dfcf8ceac515c4aa92f30f4af
SHA19a26c3ff3251f69950ce09e3692ce14b5dd536b1
SHA2563246be7f25f8f4cd9ade8f0a8faf12847df126eecf65d7e8012f35ab45e73a40
SHA51294da6f1aaae6c25e47e31ac246a8703ec8f7b2893a44ae10f7600cc79ba673bca60d7fb41b2ebac8a4b5497ab98a0a195a32d93f4fc140ba7c9cd25811943500
-
Filesize
1KB
MD51461a64fd8c4912ba66907b5454e2328
SHA17a5a433f0e78802dd07c0f9347cf36f250d73836
SHA2568c56d86363aed6bd82daedc74376dc9f653e51f1ce472b4b7e776c223927a821
SHA51263d97544ccbfa94854caee4d754a8c1de56e75c1b053e94a8df72cf1206095cc4eafa56a1dd015b5bb7a41485f01244a56878a4223895d81b86836a85380e2a3
-
Filesize
1KB
MD54a612fca9ab0ca797a81a3c4525e1e3f
SHA1a2652ace3e93ad0c634820282ae5db5c8dfe66f8
SHA256ec53c1c5e6909c48e9f417a4d92305ecbf7a3c4f9c091e567c049871bf00200f
SHA512d8b50ae7a853596e5aac5046dc6084ec17969cbd06d4601c12d56a61a3ce67585b24c498f8e9b2e31c8e7b587c61b0b217e1fa6303fc38b2cf3ccee11a6d80b4
-
Filesize
30KB
MD5537eefa0a7fe26f2a2175f84709252ca
SHA19316fb8502a81f7557972e3920b98ddb98f611fa
SHA2561f3cfa205b608ad0920ee9b00c736096f4d6173346fc0ca6aaf06e08ea2bcead
SHA512914c99af595eea6e98b45230f94894a8816cb005307ecd6520c40195a8bede6911ff013f1958f9f8ef6c8a152aba12699939facbc58e25ce4473a0d22df84752
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
Filesize
226KB
MD56a160e5713b7c4a269ef35eac73e1412
SHA136b833c40d83652d450888ff2b602321b9de877c
SHA2560909910f70a8bad23ba9232fc2d5110fc5841fd2c6600c5a38b1c72aada42b51
SHA51297eb791552ef0262d903b1f40ebf61731603cb00f57829214c71d4df8c01a1d2f1352f877f9ad0dec08c21afcb7cd3740b9cbc3eb1f1474ca70c3ab6bb30fcf2
-
Filesize
83KB
MD58d55926714dca1fb12105427108e3f42
SHA149de023ae157a837f4f4535e0868bf699a269597
SHA256635f9cb4766dc154d64bbbedc9ec3ede21af802ec7380c20ee89ba563cf33476
SHA5124cde0620e32b660f0565e6b6e8afdb55b63530b842c6c45ae1644d262ecda749f73d163542018c95b28f6d4850f0f44398a3e34f14c0637f51c932f31bef2736
-
Filesize
84KB
MD5f42487f164caf1742d3b1960872e0461
SHA1515aa7d1becba3bc3b77d688171a66a8bc21cdfc
SHA25693c4c991f48da8f60c43c567f8251c4e7edb791b4f4af52462a306c5f9d18750
SHA512da2149aa2b25ea159440fa6276d69d66456e0103810e69dc48065b434f49a66cf160f9de6691c80a0d6db846c2c9e53b792cb232d62c20fc99502a1605fb5d24
-
Filesize
61KB
MD541781cb861bf9c93b76e02b8aef84dce
SHA1aeed63a609d7b0ad3c60e8b96bec9a116eecfaec
SHA25679b9b1c9ba55a9b33877d3b93a51fa0d818128575a5030cf1caf12c8bee8dbe7
SHA5120355a5d2819032c46edb9c8d359b0bc44801a9a4c4aed233ce6fa775d9f74e9b536c1dfa060d13321a170a680fa60064577e83e6524fae31033fd1950e2932e5
-
Filesize
345B
MD56d5121a25d74e9264b7e91be6f43a115
SHA19abbccd2ff37b1b8b20bd1a6f644beb8fe3ecbe4
SHA256394af20cd9ca756d8120d7926e80a5d96e54cb96349ba3bcb06315e94a3d9c70
SHA512d1b61761a16553ab6647e7d57829761b7fbdf47da276ef03ead594edf5070d718bb45fe688c52bc524890071a0f53314a87de7ae2d15977d89b03257c4e17f1a
-
Filesize
61KB
MD586250b618b87cd6c811cdbdd80de5897
SHA1a10767ee655787b3b8119aa4017e622535f6566c
SHA2569e2ce796dfceb3c0d7514fff3f5a91d228aee475f3678239e3f3714dbead64a3
SHA512cbfeff973c89db7f44db64fd2bf1bf0566f5daf6e74b3af45353c877a34e9ced8f0b499055d27878042d10aab1328f26a088b30514688550aabc02862a0f46f6
-
Filesize
345B
MD56a8ecfbea79ad5cb59b160a270f685df
SHA192447da8ef9e9b63682c065c338a92eed57e4c83
SHA2566bfd532fce20941b075bcb7612f7b85174cfe64da230cc034efafd8ef3d41d6c
SHA512e223910cfe4a2a9805b6f706bc451ac31248b72f3bcdf571b4dee419c1c70208f55962a2e1e72ce28ec89bcb1bbd9deac0988da616f2c5e570e90d7bbc824051
-
Filesize
1KB
MD54d419e6717df57d60a1c72d0b58e8294
SHA1f3e4dbbfe384e25d681c18390114926c96f70228
SHA2568f22fff5a31710d2544e5f7d2235a3d3a83fcad4adc78a63f60d2db32c378587
SHA512b775d83b901ea2b6175309547403cdea4c6533123ea3b3ca5b71e56cd4ebd4ab2a5974fc4676bfef5e4e6e2c210f5a8a44ed1c7c3ea6a5bd454ee9e4cc493804
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e