Analysis Overview
SHA256
b90d8effccd1bcfafd2efcfd786aeaf1babd741e2a0a8fbe9e0f981f66066bcc
Threat Level: Known bad
The file elmo.PNG was found to be: Known bad.
Malicious Activity Summary
Chaos
Chaos Ransomware
Reads user/profile data of web browsers
Drops startup file
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-16 10:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 10:12
Reported
2024-03-16 10:24
Platform
win10v2004-20240226-en
Max time kernel
686s
Max time network
681s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\MinecraftInstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\MinecraftInstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\MinecraftInstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\MinecraftInstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MinecraftInstaller.url | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aint no way boy.txt | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8F52EC28\Chaos Ransomware Builder v4 Cleaned.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\MinecraftInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\MinecraftInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\MinecraftInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\MinecraftInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vfosorsph.jpg" | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000db89bb4ac668da019076314cc668da012206654dc668da0114000000 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000030000000200000001000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78} | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Music" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Pictures" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\NodeSlot = "5" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80d43aad2469a5304598e1ab02f9417aa80000 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4 | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\elmo.png
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb087f46f8,0x7ffb087f4708,0x7ffb087f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4796 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3600 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6076 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Chaos_Ransomware_Builder_v4_Cleaned.rar"
C:\Users\Admin\AppData\Local\Temp\7zO8F52EC28\Chaos Ransomware Builder v4 Cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8F52EC28\Chaos Ransomware Builder v4 Cleaned.exe"
C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\b6d0f823f4524eb0a75fdb44f0a55b30 /t 1940 /p 3584
C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7128 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6816 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=7056 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\grwbmh3j\grwbmh3j.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC139.tmp" "c:\Users\Admin\Pictures\CSC3DF7B0E8E3EE478C98A1594E3E981E45.TMP"
C:\Windows\system32\SnippingTool.exe
"C:\Windows\system32\SnippingTool.exe"
C:\Users\Admin\Pictures\MinecraftInstaller.exe
"C:\Users\Admin\Pictures\MinecraftInstaller.exe"
C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe
"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\aint no way boy.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\aint no way boy.txt
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3uinpxj5\3uinpxj5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FF4.tmp" "c:\Users\Admin\Pictures\CSCA50A54B8203B4C46B34B72C0B0945D70.TMP"
C:\Users\Admin\Pictures\MinecraftInstaller.exe
"C:\Users\Admin\Pictures\MinecraftInstaller.exe"
C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe
"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"
C:\Users\Admin\Pictures\MinecraftInstaller.exe
"C:\Users\Admin\Pictures\MinecraftInstaller.exe"
C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe
"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"
C:\Users\Admin\Pictures\MinecraftInstaller.exe
"C:\Users\Admin\Pictures\MinecraftInstaller.exe"
C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe
"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.135.221.88.in-addr.arpa | udp |
| GB | 92.123.128.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 161.128.123.92.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 92.123.128.178:443 | r.bing.com | tcp |
| GB | 92.123.128.178:443 | r.bing.com | tcp |
| GB | 92.123.128.178:443 | r.bing.com | tcp |
| GB | 92.123.128.178:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 178.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.138:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 42.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 22.114.82.140.in-addr.arpa | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 6.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 88.221.135.114:443 | aefd.nelreports.net | tcp |
| GB | 88.221.135.114:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 114.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| GB | 92.123.128.171:443 | www.bing.com | tcp |
| GB | 92.123.128.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 92.123.128.133:443 | th.bing.com | tcp |
| GB | 92.123.128.177:443 | th.bing.com | tcp |
| GB | 92.123.128.177:443 | th.bing.com | tcp |
| GB | 92.123.128.133:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | 133.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | testfamilysafety.bing.com | udp |
| US | 204.79.197.201:443 | testfamilysafety.bing.com | tcp |
| US | 8.8.8.8:53 | 201.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logosmarcas.net | udp |
| US | 8.8.8.8:53 | wallpapercave.com | udp |
| US | 8.8.8.8:53 | www.hdwallpapers.in | udp |
| US | 172.67.29.26:443 | wallpapercave.com | tcp |
| US | 8.8.8.8:53 | logos-world.net | udp |
| US | 172.67.175.200:443 | logosmarcas.net | tcp |
| US | 104.26.4.136:443 | www.hdwallpapers.in | tcp |
| US | 8.8.8.8:53 | logolook.net | udp |
| US | 172.67.69.232:443 | logos-world.net | tcp |
| US | 104.21.44.240:443 | logolook.net | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 26.29.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.175.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.4.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.69.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | www.freepnglogos.com | udp |
| US | 8.8.8.8:53 | i.pinimg.com | udp |
| US | 8.8.8.8:53 | silverink.com | udp |
| GB | 216.58.201.118:443 | i.ytimg.com | tcp |
| DE | 78.46.22.25:443 | www.freepnglogos.com | tcp |
| IE | 52.215.94.133:443 | silverink.com | tcp |
| GB | 23.48.165.145:443 | i.pinimg.com | tcp |
| US | 8.8.8.8:53 | 118.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.94.215.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.22.46.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.165.48.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| GB | 216.58.201.118:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | blogs.windows.com | udp |
| US | 141.193.213.21:443 | blogs.windows.com | tcp |
| US | 8.8.8.8:53 | 21.213.193.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | media.giphy.com | udp |
| US | 8.8.8.8:53 | static.turbosquid.com | udp |
| US | 199.232.194.2:443 | media.giphy.com | tcp |
| FR | 52.222.169.105:443 | static.turbosquid.com | tcp |
| US | 8.8.8.8:53 | 105.169.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.194.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.201.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 88.221.135.105:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | 105.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| GB | 92.123.128.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 192.128.123.92.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1eb86108cb8f5a956fdf48efbd5d06fe |
| SHA1 | 7b2b299f753798e4891df2d9cbf30f94b39ef924 |
| SHA256 | 1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40 |
| SHA512 | e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f35bb0615bb9816f562b83304e456294 |
| SHA1 | 1049e2bd3e1bbb4cea572467d7c4a96648659cb4 |
| SHA256 | 05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71 |
| SHA512 | db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1 |
\??\pipe\LOCAL\crashpad_2392_IOPVHTHVXZPYNWFC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 25a7aa0272bfd7ac27b4e3e3706d57e6 |
| SHA1 | 94ae4f45bc6b6b90d1335d814d1682d3432e0dd2 |
| SHA256 | 06f6e26d62f1fe308cbed0e67d0bd983ea708f0d098a00d83488e16ed0e809a0 |
| SHA512 | 28cf1f53691896aec8a5f5647d03aa617fe85546519378615c06dd9c76ba6ab9dd10a59f8e6655c656116326332061162f1d33bdcb70c4b8870a6e8a2f3139c7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 40df24184db14a00d04cb228d229e5e0 |
| SHA1 | 2ad6158bce5a536518b251205a6af830afde9fe6 |
| SHA256 | fee416678d7b149a2961b23e22d85ae57063026fdd4a0d41a96a627d8bdfa4e2 |
| SHA512 | 4224b2d797e0d4ad0f3a116f4d3237851a6e4517d14eea2fafae557de7660dc6236e868b23a4931edff5578b9e61a0b77cbe6e24b50a9aeb9f825937936a520d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e4111db281ef03714e8db1d4d2104602 |
| SHA1 | 9a16a1f39700a5908d5877acb6516f2e5fd9b8e4 |
| SHA256 | b7bceac71b8262276080af1b141ff200016cff33e2afe186419dabd65d028257 |
| SHA512 | 402b18f60d8eb2c3d7acc37a339a3ed9615b10e8656a6b57e2c7a91717767c48dd79400c7b9ac7d54f41673d526b09ef30b7adf86e9670390e7e318139585d6f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 59c2bf93359b6a507bc6ad773ecf8492 |
| SHA1 | 041661da7b05ad49337484f3fb7f331ce9c58cc5 |
| SHA256 | 459f6808c6a9ef4eee9633a037bb487d93ed7ffddc2f5d7ad73bb4ff7da4f5ac |
| SHA512 | d1ee225330061d1c9871a2244bbb105e375c9a316ebf153eb866ad84e95fc817c0bc10e250c32b0af3bf5db38b5ac68d0d25ded996aadde90603a7c579421bdf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581eae.TMP
| MD5 | 51edd51dd10613326ef407cc85e3f268 |
| SHA1 | 52a071edc90d14f75278abd4c1329f2339a5bcfe |
| SHA256 | 8d823d93bb440c37c2fde4ad81cfb6b71529bc4a6d9a2a8e0f53fafbec455040 |
| SHA512 | cef05b85fd4413af81eea610577b0d84b0eb541a864611050c7c96299ef18db73ef2f71eb390398b46d200750ec430b6012e4a91f9e701e1da8a4df488369249 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 02f9e490bc68679a35e2c399df812ab0 |
| SHA1 | 5bceba38cde0e2eb0b969ef3ca6676c30ba26fce |
| SHA256 | 691ae41cab7ed33ff4d34be8b368d5bb40783dfd0b90535cf72b9cf7b1da0e35 |
| SHA512 | 447741ffa8ee5bbfaa55efe9ea900e6d0c9da2c3e158e21e5341626589ea8742a7d4012cf4063496a94acb2cbcd2d0f0f045c1af1d215ff3c00a38d94caf7fec |
C:\Users\Admin\Downloads\Chaos_Ransomware_Builder_v4_Cleaned.rar
| MD5 | 6a160e5713b7c4a269ef35eac73e1412 |
| SHA1 | 36b833c40d83652d450888ff2b602321b9de877c |
| SHA256 | 0909910f70a8bad23ba9232fc2d5110fc5841fd2c6600c5a38b1c72aada42b51 |
| SHA512 | 97eb791552ef0262d903b1f40ebf61731603cb00f57829214c71d4df8c01a1d2f1352f877f9ad0dec08c21afcb7cd3740b9cbc3eb1f1474ca70c3ab6bb30fcf2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f470e4a38c090236fd462eb472150dc7 |
| SHA1 | 98111aac21fc88340b133074ace67627acc95ec8 |
| SHA256 | c1e712077af0e164d93ebc44786ba6083043d1668894cf822872a394584a10f7 |
| SHA512 | 23563fd0a8c8ce410341d6ec66b63a3b6ab4e6e1e5f9bba19513a38d9e0ca9c61627088cbe38d32414612314802360182cbe240f836f106da4ff771f0bffa7f4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8281a43ddb17746cf42164d74e32ef85 |
| SHA1 | 5b821f02004134091b7889926d5d288ef5766f58 |
| SHA256 | b5d68e573917094e5dead3921f38a2919343765cf6eb3985e0ca7590b276132e |
| SHA512 | 7669d70e0ddfc80b8d8c9a4fce85d6f5e2e05aad1f71da80f58f04d3e18b4fd64b9e7c534acb0878dac2381905e822b05dbf0ff2403b7eb9603137d38bb020d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b1d235387439a4b0693a86d6f2813774 |
| SHA1 | 30c9f066d5a9b52c7c4095dba895bc7ae1db1107 |
| SHA256 | 2a494e33f0622c46a0a285a84c940efd220b6b04f645c3a854509bcec3ed6ead |
| SHA512 | be7a709503d80feb7c51079d2d52fe6ad2fd9da60477f5ca5226db5505fcd898c399a9e44f8bc2a50583002762e8f92efd36addf21c7bc4c791d184aa0b3972c |
C:\Users\Admin\AppData\Local\Temp\7zO8F52EC28\Chaos Ransomware Builder v4 Cleaned.exe
| MD5 | 30caa962e1ee863f2fcbed2b8e38f207 |
| SHA1 | 3ea3d0fdbdf6339756983152df6e3a28d5873a11 |
| SHA256 | c5004c691b576c3f3899d628176ade9d8c87b7bf6d44d96945b4d1df1254a132 |
| SHA512 | 61ce53a94d0a4695368d33f9e3a1435800b9fd828e7e0c14144a0e45ac3ae7c4b4c04ecf9c5a5b794c2049759dc34df6e23ac39741c98bbd8cf18bda9d1c2a21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | b9832e87f87f3f303a8c8271c7f496b1 |
| SHA1 | 1f7588a5affa3c6574cabe2ce3144390b010abed |
| SHA256 | 5fae7250c485242a47ed521493070f4c8dad7bdcdceef5d1941f7743f9b2b882 |
| SHA512 | fd68c2f381161c7586bd0b0d48da6ceccc67c0d3dcb2ea08d0de1b88934befb727ff2045848bd2aed8ddd135b33b6b90358a13a210b3ea5ef4d9ea720b73e246 |
C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe
| MD5 | 9a44537dfcf8ceac515c4aa92f30f4af |
| SHA1 | 9a26c3ff3251f69950ce09e3692ce14b5dd536b1 |
| SHA256 | 3246be7f25f8f4cd9ade8f0a8faf12847df126eecf65d7e8012f35ab45e73a40 |
| SHA512 | 94da6f1aaae6c25e47e31ac246a8703ec8f7b2893a44ae10f7600cc79ba673bca60d7fb41b2ebac8a4b5497ab98a0a195a32d93f4fc140ba7c9cd25811943500 |
memory/3244-428-0x00000000005F0000-0x000000000067E000-memory.dmp
memory/3244-429-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/3244-430-0x000000001B2E0000-0x000000001B2F0000-memory.dmp
memory/3244-431-0x000000001B2E0000-0x000000001B2F0000-memory.dmp
memory/3244-432-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/3244-433-0x000000001B2E0000-0x000000001B2F0000-memory.dmp
memory/3244-434-0x000000001B2E0000-0x000000001B2F0000-memory.dmp
memory/3244-435-0x000000001B2E0000-0x000000001B2F0000-memory.dmp
memory/3244-438-0x000000001B2E0000-0x000000001B2F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 8f2ecb59a436e61f3db3bdc4480ce95e |
| SHA1 | 210b552be23b25b688ae90eaefa1009900fbbc56 |
| SHA256 | 064d344347174558b23089e5d9c46b5d3d2772ec9e4df266802279e43931e96a |
| SHA512 | a6218234d23fae92f1dfd9e2b14044b0b834aaff01e99fdbacbe8a1ee55ceae16f00bd1670a7b34f7e3c00892d016f8414c67ae57556b17c489021968e585e9a |
memory/3244-451-0x000000001B2E0000-0x000000001B2F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 3baf7c2e036abf00bf52d8e4a918e970 |
| SHA1 | 0eb5406e14050dc41227ba74b64a38da778fe5d6 |
| SHA256 | d30dcb199ca26a9664a46c01b4eccb26f5b8682f04480d0a9d2beffab7d0a049 |
| SHA512 | c12875c0e5085f534496ca9f1f43bc4d5097f6d4d969f70ad1651bf01bdd4e9f5e27c93413ef0589c06c647c0a22d8c4b7a2ffbda2fe61bdeb84657f53a6a429 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | 88a552e6be1ac3978c49143983276b3a |
| SHA1 | dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423 |
| SHA256 | 927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5 |
| SHA512 | 125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 76a3f1e9a452564e0f8dce6c0ee111e8 |
| SHA1 | 11c3d925cbc1a52d53584fd8606f8f713aa59114 |
| SHA256 | 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c |
| SHA512 | a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | b38fbbd0b5c8e8b4452b33d6f85df7dc |
| SHA1 | 386ba241790252df01a6a028b3238de2f995a559 |
| SHA256 | b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd |
| SHA512 | 546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | a08bc7e7f24349a9b16da33a6c833580 |
| SHA1 | b214e57a3beed9983e30b3e1ae49df021952ee82 |
| SHA256 | 9b045fd77395370e218f74c0dddb8106bd1bcb52163de80b1e51a7691fe7297d |
| SHA512 | 24853c38f38f0472867db8e42c34397b616926b2ffc2aed7d40354de736fd5723e5a04e6a11b0aecfe0c937f8952d14ffc9c417a51d04d72139675e0415b55e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0262d871316866955dd1a72ee048fced |
| SHA1 | 49a6319492dc61b4332bc840190c55c1dfe270a7 |
| SHA256 | d1a1ff2375f20d1567913bcfb0683c862f9dd6b8b57d8ceef7db3afde22ba86d |
| SHA512 | 026a8b267f388d19e8a820378d114676cea11a44b2fbdbdc733da12b3042950d6075eaa5df37cb19240022092ca8e55c31331bbb033d35522869ce82ee3b39d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c2aa0ec18d227cd903dffec52d15a96e |
| SHA1 | 6986125c7447e3e4f59000649928eba4cdb7678f |
| SHA256 | d57bcab0897c0a84ecc01d4bbb4396b59b19d8abe801c27c46bc312c791b92dd |
| SHA512 | 1c37b9f816327b7974a7a8f84b71af8bf0eccbc304a1655c57162289336b5dcd12d3830ce2c9f5467fa8de286ed79e6e109e85305daa7736a369e7394d3185ad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b
| MD5 | 6b829170538722adf52f4790d82253e4 |
| SHA1 | ad496b99fb5dded45764aec3eb3f46da632e5d05 |
| SHA256 | 3133a600874b096bb0213f01817ce293f5b3fba6539c75bf2853f897b6c924b0 |
| SHA512 | b3de073f7ce4846366e5b42854fa43be35a4f607575e0f43845d93c6526c363b078ba855a41dfb7442097cf133f93f012162b8afda754faf135a25daaf0500e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e7787167b0569801e95913376c9167f1 |
| SHA1 | a041919e665cb8175666a15ce078873deb729ed5 |
| SHA256 | c615a6536ad75640bc4fe03843fdc1665f5ac5cf4e9dac7b3f605ca94c14c5d0 |
| SHA512 | bc295a32c66b3f27e44cd5452f1680aee3b70583ce905dca23dab734752680b66bfe556be2655ed6e89cea0ef854cc95a8d1b824126bc8e4c5867d6a5f1a141f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 819a737cfde7ef365dc87c94cb69a3e8 |
| SHA1 | 34ee35372f43c703d98601df33682a26107c4c47 |
| SHA256 | 64ec13ebd10b2e5a5a47b52b95eb5d17a0dfb09014502de632b04032e3096fa3 |
| SHA512 | 0128720eeef98cb92c36ca2dfe79a72213ef5779e225b280b278e9eca3b9a68ae201b4e7f631b40b1e60bc149925b544f8ecc41810a09bb064816b5871c57184 |
memory/3244-784-0x00000000236C0000-0x0000000023E17000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b4a2d08c828e7efd9c00c35901429cdf |
| SHA1 | ce312898a287878ed327889d9daa505f3938adaf |
| SHA256 | ddf6b9a76dee0cb6a68af354e98dd6f5bc8c477a006674b4cdc838f015771b3e |
| SHA512 | d7c362528624b1c30d9d09d4a6949a703548b7c64822e0a013ba91de5a49b3276460f16db9d1d8cf637019777248f5bd46ffc0bb3c74541a3b51ca3bccb18750 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c005e051c6855f6b8609721f8816d02d |
| SHA1 | ccfa1324f466ab9e88d2b419f1bfa5f65fe0ed24 |
| SHA256 | db235695a5e95814d5f53e7212fa60856f08654410b4ce337e373530672eb8e6 |
| SHA512 | 9a36ce9c40d8a94098bd5b11685b9a393815cafbe77aaa22e5d5eaf5eb67bba23741c5230fcfadb1217837b03af7b5eaa642e192d8157041a7dd91f0e6f53ba4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 214e3e87e2ef19d54cda4fe55ef815cd |
| SHA1 | 7e512068f67bbf30c364b69406283f0143f722c9 |
| SHA256 | e3ca78f75268a521f68780ad9e26ce863db01d85c139b2753d9910eaedb3c404 |
| SHA512 | df3051ffb145268b3abcf5d6145bb61d5caa7c7656cd9da10cc0f16c05bc50d4c4cca30dd2d4c00c21221141b7bb8d8756d5c9f2c891e943bb6dff0314593d6a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | fc0159046d72145b10c9477201a98747 |
| SHA1 | fd1d82ce106a8337066a51b7d06d5caff19db5dc |
| SHA256 | 4d4be3dfed414eeb9a43b665976643dc3270f345d956b06cc1e3d5b86d7c5f23 |
| SHA512 | 70c788dbf076113f17d40681e5282ffce61858f1e042c196685b70f23d68b03e9f303a994693add346bd1e95b26961e29c7988af605dc53a01b70c3058d54616 |
\??\c:\Users\Admin\AppData\Local\Temp\grwbmh3j\grwbmh3j.cmdline
| MD5 | 6a8ecfbea79ad5cb59b160a270f685df |
| SHA1 | 92447da8ef9e9b63682c065c338a92eed57e4c83 |
| SHA256 | 6bfd532fce20941b075bcb7612f7b85174cfe64da230cc034efafd8ef3d41d6c |
| SHA512 | e223910cfe4a2a9805b6f706bc451ac31248b72f3bcdf571b4dee419c1c70208f55962a2e1e72ce28ec89bcb1bbd9deac0988da616f2c5e570e90d7bbc824051 |
\??\c:\Users\Admin\AppData\Local\Temp\grwbmh3j\grwbmh3j.0.cs
| MD5 | 86250b618b87cd6c811cdbdd80de5897 |
| SHA1 | a10767ee655787b3b8119aa4017e622535f6566c |
| SHA256 | 9e2ce796dfceb3c0d7514fff3f5a91d228aee475f3678239e3f3714dbead64a3 |
| SHA512 | cbfeff973c89db7f44db64fd2bf1bf0566f5daf6e74b3af45353c877a34e9ced8f0b499055d27878042d10aab1328f26a088b30514688550aabc02862a0f46f6 |
\??\c:\Users\Admin\Pictures\CSC3DF7B0E8E3EE478C98A1594E3E981E45.TMP
| MD5 | 4d419e6717df57d60a1c72d0b58e8294 |
| SHA1 | f3e4dbbfe384e25d681c18390114926c96f70228 |
| SHA256 | 8f22fff5a31710d2544e5f7d2235a3d3a83fcad4adc78a63f60d2db32c378587 |
| SHA512 | b775d83b901ea2b6175309547403cdea4c6533123ea3b3ca5b71e56cd4ebd4ab2a5974fc4676bfef5e4e6e2c210f5a8a44ed1c7c3ea6a5bd454ee9e4cc493804 |
C:\Users\Admin\AppData\Local\Temp\RESC139.tmp
| MD5 | 4a612fca9ab0ca797a81a3c4525e1e3f |
| SHA1 | a2652ace3e93ad0c634820282ae5db5c8dfe66f8 |
| SHA256 | ec53c1c5e6909c48e9f417a4d92305ecbf7a3c4f9c091e567c049871bf00200f |
| SHA512 | d8b50ae7a853596e5aac5046dc6084ec17969cbd06d4601c12d56a61a3ce67585b24c498f8e9b2e31c8e7b587c61b0b217e1fa6303fc38b2cf3ccee11a6d80b4 |
C:\Users\Admin\Pictures\MinecraftInstaller.exe
| MD5 | f42487f164caf1742d3b1960872e0461 |
| SHA1 | 515aa7d1becba3bc3b77d688171a66a8bc21cdfc |
| SHA256 | 93c4c991f48da8f60c43c567f8251c4e7edb791b4f4af52462a306c5f9d18750 |
| SHA512 | da2149aa2b25ea159440fa6276d69d66456e0103810e69dc48065b434f49a66cf160f9de6691c80a0d6db846c2c9e53b792cb232d62c20fc99502a1605fb5d24 |
memory/6076-891-0x0000000000C90000-0x0000000000CAC000-memory.dmp
memory/6076-892-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MinecraftInstaller.exe.log
| MD5 | 28d7fcc2b910da5e67ebb99451a5f598 |
| SHA1 | a5bf77a53eda1208f4f37d09d82da0b9915a6747 |
| SHA256 | 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c |
| SHA512 | 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6 |
memory/4900-907-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/6076-906-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
C:\Users\Admin\Desktop\aint no way boy.txt
| MD5 | 4217b8b83ce3c3f70029a056546f8fd0 |
| SHA1 | 487cdb5733d073a0427418888e8f7070fe782a03 |
| SHA256 | 7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121 |
| SHA512 | 2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740 |
C:\Users\Admin\AppData\Roaming\sdf.txt
| MD5 | 537eefa0a7fe26f2a2175f84709252ca |
| SHA1 | 9316fb8502a81f7557972e3920b98ddb98f611fa |
| SHA256 | 1f3cfa205b608ad0920ee9b00c736096f4d6173346fc0ca6aaf06e08ea2bcead |
| SHA512 | 914c99af595eea6e98b45230f94894a8816cb005307ecd6520c40195a8bede6911ff013f1958f9f8ef6c8a152aba12699939facbc58e25ce4473a0d22df84752 |
memory/4900-964-0x0000000001010000-0x0000000001020000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 19b6e559f14a5ee1047ecfff1ff41d4f |
| SHA1 | 4330274fc8b68e8ab207fb3b0b85e79bd693e10e |
| SHA256 | 915c3320994666645022b40d654b75d843fd9a3238c47d2be3c9a2b5a1a40b9b |
| SHA512 | d9538f96d456845f3e12b78c6c8d73ae97a7ad311805953ac8fc8d61a732ecada6a1e63090daa4390ca3c5420de51900e72caf5498f63a2a593358898b9d9a6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 67aa42f2cdb4a26cddf5fcc95d36adb8 |
| SHA1 | cbf9cf85e5c00711d2db570d0c735673109398af |
| SHA256 | f4f77bd9e77b99423e10ae425a2280a1ab5072f04dedfd845f9931e88e8340c4 |
| SHA512 | 228055cd3a2dd12020acd9a531d31957d828d2c90ab43ac164f912664b5a66e21d16356d9d8745842550ccf8fd9a2b48e6f76fa5e2edd277655838c5ecab4610 |
memory/4900-985-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/4900-987-0x0000000001010000-0x0000000001020000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\3uinpxj5\3uinpxj5.cmdline
| MD5 | 6d5121a25d74e9264b7e91be6f43a115 |
| SHA1 | 9abbccd2ff37b1b8b20bd1a6f644beb8fe3ecbe4 |
| SHA256 | 394af20cd9ca756d8120d7926e80a5d96e54cb96349ba3bcb06315e94a3d9c70 |
| SHA512 | d1b61761a16553ab6647e7d57829761b7fbdf47da276ef03ead594edf5070d718bb45fe688c52bc524890071a0f53314a87de7ae2d15977d89b03257c4e17f1a |
\??\c:\Users\Admin\AppData\Local\Temp\3uinpxj5\3uinpxj5.0.cs
| MD5 | 41781cb861bf9c93b76e02b8aef84dce |
| SHA1 | aeed63a609d7b0ad3c60e8b96bec9a116eecfaec |
| SHA256 | 79b9b1c9ba55a9b33877d3b93a51fa0d818128575a5030cf1caf12c8bee8dbe7 |
| SHA512 | 0355a5d2819032c46edb9c8d359b0bc44801a9a4c4aed233ce6fa775d9f74e9b536c1dfa060d13321a170a680fa60064577e83e6524fae31033fd1950e2932e5 |
C:\Users\Admin\AppData\Local\Temp\RES6FF4.tmp
| MD5 | 1461a64fd8c4912ba66907b5454e2328 |
| SHA1 | 7a5a433f0e78802dd07c0f9347cf36f250d73836 |
| SHA256 | 8c56d86363aed6bd82daedc74376dc9f653e51f1ce472b4b7e776c223927a821 |
| SHA512 | 63d97544ccbfa94854caee4d754a8c1de56e75c1b053e94a8df72cf1206095cc4eafa56a1dd015b5bb7a41485f01244a56878a4223895d81b86836a85380e2a3 |
C:\Users\Admin\Pictures\MinecraftInstaller.exe
| MD5 | 8d55926714dca1fb12105427108e3f42 |
| SHA1 | 49de023ae157a837f4f4535e0868bf699a269597 |
| SHA256 | 635f9cb4766dc154d64bbbedc9ec3ede21af802ec7380c20ee89ba563cf33476 |
| SHA512 | 4cde0620e32b660f0565e6b6e8afdb55b63530b842c6c45ae1644d262ecda749f73d163542018c95b28f6d4850f0f44398a3e34f14c0637f51c932f31bef2736 |
memory/908-1026-0x0000000000660000-0x000000000067C000-memory.dmp
memory/908-1027-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/908-1030-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/1344-1031-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/1344-1032-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/4832-1035-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/4832-1036-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/3936-1037-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/3936-1038-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/2064-1040-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/2064-1041-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/1488-1042-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp
memory/1488-1043-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp