Malware Analysis Report

2024-10-19 07:13

Sample ID 240316-l8m5ksah26
Target elmo.PNG
SHA256 b90d8effccd1bcfafd2efcfd786aeaf1babd741e2a0a8fbe9e0f981f66066bcc
Tags
chaos ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b90d8effccd1bcfafd2efcfd786aeaf1babd741e2a0a8fbe9e0f981f66066bcc

Threat Level: Known bad

The file elmo.PNG was found to be: Known bad.

Malicious Activity Summary

chaos ransomware spyware stealer

Chaos

Chaos Ransomware

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 10:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 10:12

Reported

2024-03-16 10:24

Platform

win10v2004-20240226-en

Max time kernel

686s

Max time network

681s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\elmo.png

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MinecraftInstaller.url C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aint no way boy.txt C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vfosorsph.jpg" C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000db89bb4ac668da019076314cc668da012206654dc668da0114000000 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000030000000200000001000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78} C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Music" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Pictures" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\NodeSlot = "5" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80d43aad2469a5304598e1ab02f9417aa80000 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4 C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
N/A N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\MinecraftInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 4032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 3500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 3500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2392 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\elmo.png

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb087f46f8,0x7ffb087f4708,0x7ffb087f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3600 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6076 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Chaos_Ransomware_Builder_v4_Cleaned.rar"

C:\Users\Admin\AppData\Local\Temp\7zO8F52EC28\Chaos Ransomware Builder v4 Cleaned.exe

"C:\Users\Admin\AppData\Local\Temp\7zO8F52EC28\Chaos Ransomware Builder v4 Cleaned.exe"

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\b6d0f823f4524eb0a75fdb44f0a55b30 /t 1940 /p 3584

C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe

"C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=7056 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15441022885972274893,16739543339232331799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\grwbmh3j\grwbmh3j.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC139.tmp" "c:\Users\Admin\Pictures\CSC3DF7B0E8E3EE478C98A1594E3E981E45.TMP"

C:\Windows\system32\SnippingTool.exe

"C:\Windows\system32\SnippingTool.exe"

C:\Users\Admin\Pictures\MinecraftInstaller.exe

"C:\Users\Admin\Pictures\MinecraftInstaller.exe"

C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe

"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\aint no way boy.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\aint no way boy.txt

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3uinpxj5\3uinpxj5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FF4.tmp" "c:\Users\Admin\Pictures\CSCA50A54B8203B4C46B34B72C0B0945D70.TMP"

C:\Users\Admin\Pictures\MinecraftInstaller.exe

"C:\Users\Admin\Pictures\MinecraftInstaller.exe"

C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe

"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"

C:\Users\Admin\Pictures\MinecraftInstaller.exe

"C:\Users\Admin\Pictures\MinecraftInstaller.exe"

C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe

"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"

C:\Users\Admin\Pictures\MinecraftInstaller.exe

"C:\Users\Admin\Pictures\MinecraftInstaller.exe"

C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe

"C:\Users\Admin\AppData\Roaming\MinecraftInstaller.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
GB 92.123.128.161:443 www.bing.com tcp
US 8.8.8.8:53 161.128.123.92.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
GB 92.123.128.178:443 r.bing.com tcp
GB 92.123.128.178:443 r.bing.com tcp
GB 92.123.128.178:443 r.bing.com tcp
GB 92.123.128.178:443 r.bing.com tcp
US 8.8.8.8:53 178.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.138:443 login.microsoftonline.com tcp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.22:443 collector.github.com tcp
US 140.82.114.22:443 collector.github.com tcp
US 185.199.108.133:443 user-images.githubusercontent.com tcp
US 185.199.108.133:443 user-images.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 22.114.82.140.in-addr.arpa udp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 6.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 88.221.135.114:443 aefd.nelreports.net tcp
GB 88.221.135.114:443 aefd.nelreports.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 114.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.21:443 collector.github.com tcp
GB 92.123.128.171:443 www.bing.com tcp
GB 92.123.128.171:443 www.bing.com tcp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 171.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.133:443 th.bing.com tcp
GB 92.123.128.177:443 th.bing.com tcp
GB 92.123.128.177:443 th.bing.com tcp
GB 92.123.128.133:443 th.bing.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 133.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 177.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 testfamilysafety.bing.com udp
US 204.79.197.201:443 testfamilysafety.bing.com tcp
US 8.8.8.8:53 201.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 logosmarcas.net udp
US 8.8.8.8:53 wallpapercave.com udp
US 8.8.8.8:53 www.hdwallpapers.in udp
US 172.67.29.26:443 wallpapercave.com tcp
US 8.8.8.8:53 logos-world.net udp
US 172.67.175.200:443 logosmarcas.net tcp
US 104.26.4.136:443 www.hdwallpapers.in tcp
US 8.8.8.8:53 logolook.net udp
US 172.67.69.232:443 logos-world.net tcp
US 104.21.44.240:443 logolook.net tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 26.29.67.172.in-addr.arpa udp
US 8.8.8.8:53 200.175.67.172.in-addr.arpa udp
US 8.8.8.8:53 136.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 232.69.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 184.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 www.freepnglogos.com udp
US 8.8.8.8:53 i.pinimg.com udp
US 8.8.8.8:53 silverink.com udp
GB 216.58.201.118:443 i.ytimg.com tcp
DE 78.46.22.25:443 www.freepnglogos.com tcp
IE 52.215.94.133:443 silverink.com tcp
GB 23.48.165.145:443 i.pinimg.com tcp
US 8.8.8.8:53 118.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 133.94.215.52.in-addr.arpa udp
US 8.8.8.8:53 25.22.46.78.in-addr.arpa udp
US 8.8.8.8:53 145.165.48.23.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
GB 216.58.201.118:443 i.ytimg.com udp
US 8.8.8.8:53 blogs.windows.com udp
US 141.193.213.21:443 blogs.windows.com tcp
US 8.8.8.8:53 21.213.193.141.in-addr.arpa udp
US 8.8.8.8:53 media.giphy.com udp
US 8.8.8.8:53 static.turbosquid.com udp
US 199.232.194.2:443 media.giphy.com tcp
FR 52.222.169.105:443 static.turbosquid.com tcp
US 8.8.8.8:53 105.169.222.52.in-addr.arpa udp
US 8.8.8.8:53 2.194.232.199.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 38.201.222.52.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 88.221.135.105:443 aefd.nelreports.net udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
GB 92.123.128.192:443 www.bing.com tcp
US 8.8.8.8:53 192.128.123.92.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1eb86108cb8f5a956fdf48efbd5d06fe
SHA1 7b2b299f753798e4891df2d9cbf30f94b39ef924
SHA256 1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512 e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f35bb0615bb9816f562b83304e456294
SHA1 1049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA256 05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512 db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

\??\pipe\LOCAL\crashpad_2392_IOPVHTHVXZPYNWFC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 25a7aa0272bfd7ac27b4e3e3706d57e6
SHA1 94ae4f45bc6b6b90d1335d814d1682d3432e0dd2
SHA256 06f6e26d62f1fe308cbed0e67d0bd983ea708f0d098a00d83488e16ed0e809a0
SHA512 28cf1f53691896aec8a5f5647d03aa617fe85546519378615c06dd9c76ba6ab9dd10a59f8e6655c656116326332061162f1d33bdcb70c4b8870a6e8a2f3139c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 40df24184db14a00d04cb228d229e5e0
SHA1 2ad6158bce5a536518b251205a6af830afde9fe6
SHA256 fee416678d7b149a2961b23e22d85ae57063026fdd4a0d41a96a627d8bdfa4e2
SHA512 4224b2d797e0d4ad0f3a116f4d3237851a6e4517d14eea2fafae557de7660dc6236e868b23a4931edff5578b9e61a0b77cbe6e24b50a9aeb9f825937936a520d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e4111db281ef03714e8db1d4d2104602
SHA1 9a16a1f39700a5908d5877acb6516f2e5fd9b8e4
SHA256 b7bceac71b8262276080af1b141ff200016cff33e2afe186419dabd65d028257
SHA512 402b18f60d8eb2c3d7acc37a339a3ed9615b10e8656a6b57e2c7a91717767c48dd79400c7b9ac7d54f41673d526b09ef30b7adf86e9670390e7e318139585d6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 59c2bf93359b6a507bc6ad773ecf8492
SHA1 041661da7b05ad49337484f3fb7f331ce9c58cc5
SHA256 459f6808c6a9ef4eee9633a037bb487d93ed7ffddc2f5d7ad73bb4ff7da4f5ac
SHA512 d1ee225330061d1c9871a2244bbb105e375c9a316ebf153eb866ad84e95fc817c0bc10e250c32b0af3bf5db38b5ac68d0d25ded996aadde90603a7c579421bdf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581eae.TMP

MD5 51edd51dd10613326ef407cc85e3f268
SHA1 52a071edc90d14f75278abd4c1329f2339a5bcfe
SHA256 8d823d93bb440c37c2fde4ad81cfb6b71529bc4a6d9a2a8e0f53fafbec455040
SHA512 cef05b85fd4413af81eea610577b0d84b0eb541a864611050c7c96299ef18db73ef2f71eb390398b46d200750ec430b6012e4a91f9e701e1da8a4df488369249

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 02f9e490bc68679a35e2c399df812ab0
SHA1 5bceba38cde0e2eb0b969ef3ca6676c30ba26fce
SHA256 691ae41cab7ed33ff4d34be8b368d5bb40783dfd0b90535cf72b9cf7b1da0e35
SHA512 447741ffa8ee5bbfaa55efe9ea900e6d0c9da2c3e158e21e5341626589ea8742a7d4012cf4063496a94acb2cbcd2d0f0f045c1af1d215ff3c00a38d94caf7fec

C:\Users\Admin\Downloads\Chaos_Ransomware_Builder_v4_Cleaned.rar

MD5 6a160e5713b7c4a269ef35eac73e1412
SHA1 36b833c40d83652d450888ff2b602321b9de877c
SHA256 0909910f70a8bad23ba9232fc2d5110fc5841fd2c6600c5a38b1c72aada42b51
SHA512 97eb791552ef0262d903b1f40ebf61731603cb00f57829214c71d4df8c01a1d2f1352f877f9ad0dec08c21afcb7cd3740b9cbc3eb1f1474ca70c3ab6bb30fcf2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f470e4a38c090236fd462eb472150dc7
SHA1 98111aac21fc88340b133074ace67627acc95ec8
SHA256 c1e712077af0e164d93ebc44786ba6083043d1668894cf822872a394584a10f7
SHA512 23563fd0a8c8ce410341d6ec66b63a3b6ab4e6e1e5f9bba19513a38d9e0ca9c61627088cbe38d32414612314802360182cbe240f836f106da4ff771f0bffa7f4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8281a43ddb17746cf42164d74e32ef85
SHA1 5b821f02004134091b7889926d5d288ef5766f58
SHA256 b5d68e573917094e5dead3921f38a2919343765cf6eb3985e0ca7590b276132e
SHA512 7669d70e0ddfc80b8d8c9a4fce85d6f5e2e05aad1f71da80f58f04d3e18b4fd64b9e7c534acb0878dac2381905e822b05dbf0ff2403b7eb9603137d38bb020d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b1d235387439a4b0693a86d6f2813774
SHA1 30c9f066d5a9b52c7c4095dba895bc7ae1db1107
SHA256 2a494e33f0622c46a0a285a84c940efd220b6b04f645c3a854509bcec3ed6ead
SHA512 be7a709503d80feb7c51079d2d52fe6ad2fd9da60477f5ca5226db5505fcd898c399a9e44f8bc2a50583002762e8f92efd36addf21c7bc4c791d184aa0b3972c

C:\Users\Admin\AppData\Local\Temp\7zO8F52EC28\Chaos Ransomware Builder v4 Cleaned.exe

MD5 30caa962e1ee863f2fcbed2b8e38f207
SHA1 3ea3d0fdbdf6339756983152df6e3a28d5873a11
SHA256 c5004c691b576c3f3899d628176ade9d8c87b7bf6d44d96945b4d1df1254a132
SHA512 61ce53a94d0a4695368d33f9e3a1435800b9fd828e7e0c14144a0e45ac3ae7c4b4c04ecf9c5a5b794c2049759dc34df6e23ac39741c98bbd8cf18bda9d1c2a21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b9832e87f87f3f303a8c8271c7f496b1
SHA1 1f7588a5affa3c6574cabe2ce3144390b010abed
SHA256 5fae7250c485242a47ed521493070f4c8dad7bdcdceef5d1941f7743f9b2b882
SHA512 fd68c2f381161c7586bd0b0d48da6ceccc67c0d3dcb2ea08d0de1b88934befb727ff2045848bd2aed8ddd135b33b6b90358a13a210b3ea5ef4d9ea720b73e246

C:\Users\Admin\AppData\Local\Temp\7zO8F5CBA98\Chaos Ransomware Builderv4.exe

MD5 9a44537dfcf8ceac515c4aa92f30f4af
SHA1 9a26c3ff3251f69950ce09e3692ce14b5dd536b1
SHA256 3246be7f25f8f4cd9ade8f0a8faf12847df126eecf65d7e8012f35ab45e73a40
SHA512 94da6f1aaae6c25e47e31ac246a8703ec8f7b2893a44ae10f7600cc79ba673bca60d7fb41b2ebac8a4b5497ab98a0a195a32d93f4fc140ba7c9cd25811943500

memory/3244-428-0x00000000005F0000-0x000000000067E000-memory.dmp

memory/3244-429-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/3244-430-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/3244-431-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/3244-432-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/3244-433-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/3244-434-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/3244-435-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/3244-438-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8f2ecb59a436e61f3db3bdc4480ce95e
SHA1 210b552be23b25b688ae90eaefa1009900fbbc56
SHA256 064d344347174558b23089e5d9c46b5d3d2772ec9e4df266802279e43931e96a
SHA512 a6218234d23fae92f1dfd9e2b14044b0b834aaff01e99fdbacbe8a1ee55ceae16f00bd1670a7b34f7e3c00892d016f8414c67ae57556b17c489021968e585e9a

memory/3244-451-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 3baf7c2e036abf00bf52d8e4a918e970
SHA1 0eb5406e14050dc41227ba74b64a38da778fe5d6
SHA256 d30dcb199ca26a9664a46c01b4eccb26f5b8682f04480d0a9d2beffab7d0a049
SHA512 c12875c0e5085f534496ca9f1f43bc4d5097f6d4d969f70ad1651bf01bdd4e9f5e27c93413ef0589c06c647c0a22d8c4b7a2ffbda2fe61bdeb84657f53a6a429

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 d6b36c7d4b06f140f860ddc91a4c659c
SHA1 ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA256 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA512 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 88a552e6be1ac3978c49143983276b3a
SHA1 dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423
SHA256 927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5
SHA512 125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 76a3f1e9a452564e0f8dce6c0ee111e8
SHA1 11c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512 a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1 386ba241790252df01a6a028b3238de2f995a559
SHA256 b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512 546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 a08bc7e7f24349a9b16da33a6c833580
SHA1 b214e57a3beed9983e30b3e1ae49df021952ee82
SHA256 9b045fd77395370e218f74c0dddb8106bd1bcb52163de80b1e51a7691fe7297d
SHA512 24853c38f38f0472867db8e42c34397b616926b2ffc2aed7d40354de736fd5723e5a04e6a11b0aecfe0c937f8952d14ffc9c417a51d04d72139675e0415b55e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0262d871316866955dd1a72ee048fced
SHA1 49a6319492dc61b4332bc840190c55c1dfe270a7
SHA256 d1a1ff2375f20d1567913bcfb0683c862f9dd6b8b57d8ceef7db3afde22ba86d
SHA512 026a8b267f388d19e8a820378d114676cea11a44b2fbdbdc733da12b3042950d6075eaa5df37cb19240022092ca8e55c31331bbb033d35522869ce82ee3b39d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c2aa0ec18d227cd903dffec52d15a96e
SHA1 6986125c7447e3e4f59000649928eba4cdb7678f
SHA256 d57bcab0897c0a84ecc01d4bbb4396b59b19d8abe801c27c46bc312c791b92dd
SHA512 1c37b9f816327b7974a7a8f84b71af8bf0eccbc304a1655c57162289336b5dcd12d3830ce2c9f5467fa8de286ed79e6e109e85305daa7736a369e7394d3185ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

MD5 6b829170538722adf52f4790d82253e4
SHA1 ad496b99fb5dded45764aec3eb3f46da632e5d05
SHA256 3133a600874b096bb0213f01817ce293f5b3fba6539c75bf2853f897b6c924b0
SHA512 b3de073f7ce4846366e5b42854fa43be35a4f607575e0f43845d93c6526c363b078ba855a41dfb7442097cf133f93f012162b8afda754faf135a25daaf0500e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e7787167b0569801e95913376c9167f1
SHA1 a041919e665cb8175666a15ce078873deb729ed5
SHA256 c615a6536ad75640bc4fe03843fdc1665f5ac5cf4e9dac7b3f605ca94c14c5d0
SHA512 bc295a32c66b3f27e44cd5452f1680aee3b70583ce905dca23dab734752680b66bfe556be2655ed6e89cea0ef854cc95a8d1b824126bc8e4c5867d6a5f1a141f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 819a737cfde7ef365dc87c94cb69a3e8
SHA1 34ee35372f43c703d98601df33682a26107c4c47
SHA256 64ec13ebd10b2e5a5a47b52b95eb5d17a0dfb09014502de632b04032e3096fa3
SHA512 0128720eeef98cb92c36ca2dfe79a72213ef5779e225b280b278e9eca3b9a68ae201b4e7f631b40b1e60bc149925b544f8ecc41810a09bb064816b5871c57184

memory/3244-784-0x00000000236C0000-0x0000000023E17000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b4a2d08c828e7efd9c00c35901429cdf
SHA1 ce312898a287878ed327889d9daa505f3938adaf
SHA256 ddf6b9a76dee0cb6a68af354e98dd6f5bc8c477a006674b4cdc838f015771b3e
SHA512 d7c362528624b1c30d9d09d4a6949a703548b7c64822e0a013ba91de5a49b3276460f16db9d1d8cf637019777248f5bd46ffc0bb3c74541a3b51ca3bccb18750

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c005e051c6855f6b8609721f8816d02d
SHA1 ccfa1324f466ab9e88d2b419f1bfa5f65fe0ed24
SHA256 db235695a5e95814d5f53e7212fa60856f08654410b4ce337e373530672eb8e6
SHA512 9a36ce9c40d8a94098bd5b11685b9a393815cafbe77aaa22e5d5eaf5eb67bba23741c5230fcfadb1217837b03af7b5eaa642e192d8157041a7dd91f0e6f53ba4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 214e3e87e2ef19d54cda4fe55ef815cd
SHA1 7e512068f67bbf30c364b69406283f0143f722c9
SHA256 e3ca78f75268a521f68780ad9e26ce863db01d85c139b2753d9910eaedb3c404
SHA512 df3051ffb145268b3abcf5d6145bb61d5caa7c7656cd9da10cc0f16c05bc50d4c4cca30dd2d4c00c21221141b7bb8d8756d5c9f2c891e943bb6dff0314593d6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 fc0159046d72145b10c9477201a98747
SHA1 fd1d82ce106a8337066a51b7d06d5caff19db5dc
SHA256 4d4be3dfed414eeb9a43b665976643dc3270f345d956b06cc1e3d5b86d7c5f23
SHA512 70c788dbf076113f17d40681e5282ffce61858f1e042c196685b70f23d68b03e9f303a994693add346bd1e95b26961e29c7988af605dc53a01b70c3058d54616

\??\c:\Users\Admin\AppData\Local\Temp\grwbmh3j\grwbmh3j.cmdline

MD5 6a8ecfbea79ad5cb59b160a270f685df
SHA1 92447da8ef9e9b63682c065c338a92eed57e4c83
SHA256 6bfd532fce20941b075bcb7612f7b85174cfe64da230cc034efafd8ef3d41d6c
SHA512 e223910cfe4a2a9805b6f706bc451ac31248b72f3bcdf571b4dee419c1c70208f55962a2e1e72ce28ec89bcb1bbd9deac0988da616f2c5e570e90d7bbc824051

\??\c:\Users\Admin\AppData\Local\Temp\grwbmh3j\grwbmh3j.0.cs

MD5 86250b618b87cd6c811cdbdd80de5897
SHA1 a10767ee655787b3b8119aa4017e622535f6566c
SHA256 9e2ce796dfceb3c0d7514fff3f5a91d228aee475f3678239e3f3714dbead64a3
SHA512 cbfeff973c89db7f44db64fd2bf1bf0566f5daf6e74b3af45353c877a34e9ced8f0b499055d27878042d10aab1328f26a088b30514688550aabc02862a0f46f6

\??\c:\Users\Admin\Pictures\CSC3DF7B0E8E3EE478C98A1594E3E981E45.TMP

MD5 4d419e6717df57d60a1c72d0b58e8294
SHA1 f3e4dbbfe384e25d681c18390114926c96f70228
SHA256 8f22fff5a31710d2544e5f7d2235a3d3a83fcad4adc78a63f60d2db32c378587
SHA512 b775d83b901ea2b6175309547403cdea4c6533123ea3b3ca5b71e56cd4ebd4ab2a5974fc4676bfef5e4e6e2c210f5a8a44ed1c7c3ea6a5bd454ee9e4cc493804

C:\Users\Admin\AppData\Local\Temp\RESC139.tmp

MD5 4a612fca9ab0ca797a81a3c4525e1e3f
SHA1 a2652ace3e93ad0c634820282ae5db5c8dfe66f8
SHA256 ec53c1c5e6909c48e9f417a4d92305ecbf7a3c4f9c091e567c049871bf00200f
SHA512 d8b50ae7a853596e5aac5046dc6084ec17969cbd06d4601c12d56a61a3ce67585b24c498f8e9b2e31c8e7b587c61b0b217e1fa6303fc38b2cf3ccee11a6d80b4

C:\Users\Admin\Pictures\MinecraftInstaller.exe

MD5 f42487f164caf1742d3b1960872e0461
SHA1 515aa7d1becba3bc3b77d688171a66a8bc21cdfc
SHA256 93c4c991f48da8f60c43c567f8251c4e7edb791b4f4af52462a306c5f9d18750
SHA512 da2149aa2b25ea159440fa6276d69d66456e0103810e69dc48065b434f49a66cf160f9de6691c80a0d6db846c2c9e53b792cb232d62c20fc99502a1605fb5d24

memory/6076-891-0x0000000000C90000-0x0000000000CAC000-memory.dmp

memory/6076-892-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MinecraftInstaller.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

memory/4900-907-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/6076-906-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

C:\Users\Admin\Desktop\aint no way boy.txt

MD5 4217b8b83ce3c3f70029a056546f8fd0
SHA1 487cdb5733d073a0427418888e8f7070fe782a03
SHA256 7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA512 2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

C:\Users\Admin\AppData\Roaming\sdf.txt

MD5 537eefa0a7fe26f2a2175f84709252ca
SHA1 9316fb8502a81f7557972e3920b98ddb98f611fa
SHA256 1f3cfa205b608ad0920ee9b00c736096f4d6173346fc0ca6aaf06e08ea2bcead
SHA512 914c99af595eea6e98b45230f94894a8816cb005307ecd6520c40195a8bede6911ff013f1958f9f8ef6c8a152aba12699939facbc58e25ce4473a0d22df84752

memory/4900-964-0x0000000001010000-0x0000000001020000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 19b6e559f14a5ee1047ecfff1ff41d4f
SHA1 4330274fc8b68e8ab207fb3b0b85e79bd693e10e
SHA256 915c3320994666645022b40d654b75d843fd9a3238c47d2be3c9a2b5a1a40b9b
SHA512 d9538f96d456845f3e12b78c6c8d73ae97a7ad311805953ac8fc8d61a732ecada6a1e63090daa4390ca3c5420de51900e72caf5498f63a2a593358898b9d9a6b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 67aa42f2cdb4a26cddf5fcc95d36adb8
SHA1 cbf9cf85e5c00711d2db570d0c735673109398af
SHA256 f4f77bd9e77b99423e10ae425a2280a1ab5072f04dedfd845f9931e88e8340c4
SHA512 228055cd3a2dd12020acd9a531d31957d828d2c90ab43ac164f912664b5a66e21d16356d9d8745842550ccf8fd9a2b48e6f76fa5e2edd277655838c5ecab4610

memory/4900-985-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/4900-987-0x0000000001010000-0x0000000001020000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3uinpxj5\3uinpxj5.cmdline

MD5 6d5121a25d74e9264b7e91be6f43a115
SHA1 9abbccd2ff37b1b8b20bd1a6f644beb8fe3ecbe4
SHA256 394af20cd9ca756d8120d7926e80a5d96e54cb96349ba3bcb06315e94a3d9c70
SHA512 d1b61761a16553ab6647e7d57829761b7fbdf47da276ef03ead594edf5070d718bb45fe688c52bc524890071a0f53314a87de7ae2d15977d89b03257c4e17f1a

\??\c:\Users\Admin\AppData\Local\Temp\3uinpxj5\3uinpxj5.0.cs

MD5 41781cb861bf9c93b76e02b8aef84dce
SHA1 aeed63a609d7b0ad3c60e8b96bec9a116eecfaec
SHA256 79b9b1c9ba55a9b33877d3b93a51fa0d818128575a5030cf1caf12c8bee8dbe7
SHA512 0355a5d2819032c46edb9c8d359b0bc44801a9a4c4aed233ce6fa775d9f74e9b536c1dfa060d13321a170a680fa60064577e83e6524fae31033fd1950e2932e5

C:\Users\Admin\AppData\Local\Temp\RES6FF4.tmp

MD5 1461a64fd8c4912ba66907b5454e2328
SHA1 7a5a433f0e78802dd07c0f9347cf36f250d73836
SHA256 8c56d86363aed6bd82daedc74376dc9f653e51f1ce472b4b7e776c223927a821
SHA512 63d97544ccbfa94854caee4d754a8c1de56e75c1b053e94a8df72cf1206095cc4eafa56a1dd015b5bb7a41485f01244a56878a4223895d81b86836a85380e2a3

C:\Users\Admin\Pictures\MinecraftInstaller.exe

MD5 8d55926714dca1fb12105427108e3f42
SHA1 49de023ae157a837f4f4535e0868bf699a269597
SHA256 635f9cb4766dc154d64bbbedc9ec3ede21af802ec7380c20ee89ba563cf33476
SHA512 4cde0620e32b660f0565e6b6e8afdb55b63530b842c6c45ae1644d262ecda749f73d163542018c95b28f6d4850f0f44398a3e34f14c0637f51c932f31bef2736

memory/908-1026-0x0000000000660000-0x000000000067C000-memory.dmp

memory/908-1027-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/908-1030-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/1344-1031-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/1344-1032-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/4832-1035-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/4832-1036-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/3936-1037-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/3936-1038-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/2064-1040-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/2064-1041-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/1488-1042-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp

memory/1488-1043-0x00007FFB04440000-0x00007FFB04F01000-memory.dmp