chaos | hxxps://github[.]com/Hacker2425/Ransomware-Builder

Resubmissions

18/03/2024, 13:35

240318-qvwa9ahh84 10

18/03/2024, 13:32

240318-qs3mjsae5v 10

Analysis

max time kernel
292s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Hacker2425/Ransomware-Builder

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 5 IoCs

resource	yara_rule
behavioral1/files/0x00070000000232b3-216.dat	family_chaos
behavioral1/memory/5828-217-0x0000000000C80000-0x0000000000D0E000-memory.dmp	family_chaos
behavioral1/files/0x000700000002346c-283.dat	family_chaos
behavioral1/files/0x0007000000023473-720.dat	family_chaos
behavioral1/memory/5488-722-0x0000000000D30000-0x0000000000D3C000-memory.dmp	family_chaos

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	LOL ransom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	LOL ransom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.btho	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	Decrypter.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	Decrypter.exe

Executes dropped EXE 7 IoCs

pid	Process
5828	Chaos Ransomware Builder v4.exe
5488	LOL ransom.exe
5424	svchost.exe
1460	Decrypter.exe
2676	LOL ransom.exe
4980	svchost.exe
5828	Decrypter.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbs6greww.jpg"	Decrypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vgyu1fyed.jpg"	Decrypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "4"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{93592ACD-8709-4918-8F2A-09B5F732F646}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000007258906c100052414e534f4d7e310000600009000400efbe7258856c7258916c2e000000b23202000000070000000000000000000000000000009c075000520061006e0073006f006d0077006100720065002d004200750069006c006400650072002d006d00610069006e00000018000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Chaos Ransomware Builder v4.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5464	NOTEPAD.EXE
5920	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5424	svchost.exe
4980	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	msedge.exe
2324	msedge.exe
2824	msedge.exe
2824	msedge.exe
3132	identity_helper.exe
3132	identity_helper.exe
4656	msedge.exe
4656	msedge.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
492	msedge.exe
492	msedge.exe
6092	msedge.exe
6092	msedge.exe
3956	msedge.exe
3956	msedge.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5488	LOL ransom.exe
5424	svchost.exe
5424	svchost.exe
5424	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5828	Chaos Ransomware Builder v4.exe
6092	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	5600	7zG.exe
Token: 35	5600	7zG.exe
Token: SeSecurityPrivilege	5600	7zG.exe
Token: SeSecurityPrivilege	5600	7zG.exe
Token: SeDebugPrivilege	5828	Chaos Ransomware Builder v4.exe
Token: SeDebugPrivilege	5488	LOL ransom.exe
Token: SeDebugPrivilege	5424	svchost.exe
Token: SeDebugPrivilege	1460	Decrypter.exe
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	2676	LOL ransom.exe
Token: SeDebugPrivilege	4980	svchost.exe
Token: SeDebugPrivilege	5828	Decrypter.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
5600	7zG.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
5464	NOTEPAD.EXE
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5828	Chaos Ransomware Builder v4.exe
5828	Chaos Ransomware Builder v4.exe
6092	msedge.exe
4680	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2912	2824	msedge.exe	88
PID 2824 wrote to memory of 2912	2824	msedge.exe	88
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 4836	2824	msedge.exe	89
PID 2824 wrote to memory of 2324	2824	msedge.exe	90
PID 2824 wrote to memory of 2324	2824	msedge.exe	90
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91
PID 2824 wrote to memory of 4128	2824	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Hacker2425/Ransomware-Builder
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd0fb46f8,0x7ffcd0fb4708,0x7ffcd0fb4718
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3908 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5208

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap9664:104:7zEvent5892
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5600

C:\Users\Admin\Desktop\Ransomware-Builder-main\Chaos Ransomware Builder v4.exe
"C:\Users\Admin\Desktop\Ransomware-Builder-main\Chaos Ransomware Builder v4.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\chqabunh\chqabunh.cmdline"
  2⤵
  PID:5768
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93D.tmp" "c:\Users\Admin\Desktop\CSCC2F2DD17484343A68E51FF61DA772CD2.TMP"
    3⤵
    PID:6120

C:\Users\Admin\Desktop\LOL ransom.exe
"C:\Users\Admin\Desktop\LOL ransom.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5488
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5424
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    - Suspicious use of FindShellTrayWindow
    PID:5464

C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\Decrypter.exe
"C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\Decrypter.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:640
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.0.1848531638\771005402" -parentBuildID 20221007134813 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a079c0c0-a008-4691-b697-d21f15eb090e} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 1944 14cfecd9358 gpu
    3⤵
    PID:4092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.1.196734479\895167804" -parentBuildID 20221007134813 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63cd6964-35fd-4966-8b2d-957339147059} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 2344 14cfe643858 socket
    3⤵
    - Checks processor information in registry
    PID:2792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.2.274380909\1085613897" -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca66aa6-5c22-4239-9a0a-12949923e3e4} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 3260 14c8a5fbd58 tab
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.3.1654493506\62004897" -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae16f8cb-0d90-4d11-b370-3d1b263f9d2e} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 3704 14c88f52258 tab
    3⤵
    PID:456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.4.1033532278\1227856169" -childID 3 -isForBrowser -prefsHandle 4068 -prefMapHandle 4064 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efff556c-46cd-4f2b-be24-a53bf6087193} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 4052 14c8b7fa858 tab
    3⤵
    PID:1960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.5.1812144367\473810913" -childID 4 -isForBrowser -prefsHandle 5076 -prefMapHandle 5060 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeac93c8-22f8-4c64-abc5-f9f1b449afdd} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5088 14c8c5db158 tab
    3⤵
    PID:4864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.6.1456946285\360004421" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37a2cf9c-6f3a-47f7-9ed3-9f6d17069e54} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5152 14c8d08b558 tab
    3⤵
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.7.783069825\5653722" -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f6f9f94-c3cd-4a9a-9cf2-e32875ec3e53} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5344 14c8d08a958 tab
    3⤵
    PID:4508

C:\Users\Admin\Desktop\LOL ransom.exe
"C:\Users\Admin\Desktop\LOL ransom.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5920

C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\Decrypter.exe
"C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\Decrypter.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
73c8d54f775a1b870efd00cb75baf547

SHA1
33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

SHA256
1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

SHA512
191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b206e54d55dcb61072236144d1f90f8

SHA1
c2600831112447369e5b557e249f86611b05287d

SHA256
87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

SHA512
c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
32KB

MD5
3baf7c2e036abf00bf52d8e4a918e970

SHA1
0eb5406e14050dc41227ba74b64a38da778fe5d6

SHA256
d30dcb199ca26a9664a46c01b4eccb26f5b8682f04480d0a9d2beffab7d0a049

SHA512
c12875c0e5085f534496ca9f1f43bc4d5097f6d4d969f70ad1651bf01bdd4e9f5e27c93413ef0589c06c647c0a22d8c4b7a2ffbda2fe61bdeb84657f53a6a429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
26d280911b987657964fd2208056aa00

SHA1
d08b8b3ae8393fd92f500655520e5aabd3aa6bb2

SHA256
33708d5607b6b1fe1a40a1541bce732128c7ee08077948cc2b198db42ca10391

SHA512
792b75e4664a28d8d9bd36b6424974c7d9bb8e21f3ddcc2acda53bb761ee130b322056666e8f6f1e69fe529d537d01589bb8b0df7e0453dbb7b659c4eb69c6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c0f24952a22f2489f564693342c83a31

SHA1
7142abc93a2bfbfca6a65c4e33b3a9d7b2eaf7c7

SHA256
e9ca34a52c8543095316b53d041434ca6a281fb7d108f0d89e50e13d389491b3

SHA512
2c5732ef46b6ddd2d36f80f75bbabcbc269aabc94978090455a5f3e25f7435d7e220483bea2351ad586954229974963b5c988be5d44d6b2117bc83d82d9ff008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
a6d346f58cbec0a6e4015327b25f1537

SHA1
750056e65a8b1c20b1a6051f5adcdf35821a6ac1

SHA256
1a715b1b5b62ef83ca8c62a18eddb3b5b6b738be2c654ab7a38cf22fdc8bea56

SHA512
74e563217a28cd6427739731f51ba2e35ee060c8ae6959d458d06a0416e17ffc6a49f8d0bbcb8d17cef144a45c36eb9f3b92305389ab0cfc5043f530d9f28d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
463f615865d92339eb68e23cb603e539

SHA1
1caff5854dcc2665be53c36fafe53602f39fbadb

SHA256
a71ea36b4801d34a72d4cf2e6697acb39eb69abbf866461cc64d84133710759f

SHA512
f77f957a18753ea34c90d48bc81ed4a6ff65a8c42036d2ebc622ea4e5bb7a4d76eb1e9e6367d765edba69e83c973dac2670a97cbee3f95d08259ef667cc8b5a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1013B

MD5
2e8fad7d0514c645feb88163368d2ea2

SHA1
d694abcc7351579d92a29060f59dddb4dccc1c00

SHA256
4d9c1bccfed0bc41a2d5597987f9705e5e708d132d2201bcde41fdbc3e9c8347

SHA512
607bdeed24216fe8c3c11135c11a8bdd327600b79f91b53425f97542e58aa5ac02174279451587e4a76b867f785a751fcf2b91ab4c57a475848ee765e3f6fd75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1160358814d2d3acf9c172cbdc71d470

SHA1
51e8e2ef259b99a3f4c855be7aa82ba0ceffe3b4

SHA256
ec13e95a3cacca325527e64500b238433ae8f08792f018235d84a05eb381f2c2

SHA512
a01da71236823ce47dc553622c5dd2196e704d98df7ba15543c4926060343c520a50f8e40c4b3be2ddfa27ec175f386732d060ddbde393ff578e58df92f22976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13de4d9bf5615be7d582980f58f71160

SHA1
f920348d9b91f095aa5ce90b87b4d3a2d96e3130

SHA256
296eb4644731fa7dcf61966bfc759078548f8f65e8438f9a2350892752e0c2e3

SHA512
7d56c3025b94df59f37021902949c511405f26951e686b2a6be5625dff179dd1cdcdace64ad0495534c4a63dccaf8843ffe856877680db8fc6ebbf027ad9ab3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
47af57de259be87991f1352b0bfd2586

SHA1
309e5ac652ef074b3635e54ee8b6621b81395072

SHA256
2200e630c2e736720a2cc6e11b072923896f67f69c7d9a3cd80a6d592ef53bb3

SHA512
720fc1cbc1b2e13e27cde44cbb3b4ecc18c463bb646e1c5b778650e9680eec1abab742beacf4c6103dcd8a3d33b94211256ef68fb5c71c91ae035a6983363030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5f8179816ca68e840192ef118b001252

SHA1
952207dad1cbd34c24778d6f748034128a61be4f

SHA256
d91f36ecbe5c44619892ddc28f564e48bb0ec659bea864fdf51bb534f4694be6

SHA512
555b727233b7e353cd6169278fc33727d2d8e704784124a5f5fb7d9a8d9ec592c41642cb3943b10d46c032afa2720fdb1264e0292704b83b27b32c0a9c4b3afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d01cfff5290d82c18b7b7f7812a082a7

SHA1
c132493913e3ba42f3960bfb5c3148bc6fb5fe70

SHA256
bc0da9cd18fa6e1bb1a903bbbb8d6744d5840ad355594d6360c85f68488a6965

SHA512
7323aae81ed579f6d1d2eef7c590404b362247dc99c56468ab9cbf92567976dae7c7aef2a800cd092860465f8c2b54b389d72843b5b525d098b9883058ab264b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fa163b9f462b6269e1320896cb6a39b9

SHA1
1bcb387f6503a791ed0ea285ac4a24eea925be22

SHA256
226629cf1c19b9239b0f091c50de1f0b7c843e21d034f299bbb01f78dc44df33

SHA512
d65d5e79142dd97f71926718469e8adc8ae8d9dfccf0afa20a2b7936748e0dead29c99164c4db24e9475f8bfc179ca538bc83000cbee5531f0a973583fe8df55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6250c2b5df87ac1834eed7fc0ae5d8a5

SHA1
15e9f3e191be0e97899d04383b59ae0b8291ed41

SHA256
83ff190d7eb06da52353528fcf085191abd5c2f4b4d73b0621e39604770297cc

SHA512
453defdc77b886e5f3325f48cc4b9b5f00169dbbb8fa372e52072df3c67535a362487dde38ad70c5f8279c2ebe41bcf225268e7dddd6cafacc5f1285b386537b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
de71f3207eebe1816e174c3be36dbbaf

SHA1
cc33f2a51e97a990d8f0b07227f9660130749753

SHA256
e1bc07e66248d932017543f78e8bd42871cee2f0dcbd5d72a6ae7cfcfa95619f

SHA512
6cb40802c5c7ca9a83c731ad2c48e257ab5d18742204f13e36ac8285dbe2d257ec2deda48128ab3485287071027c04678ab60e73b9279f1f12263b15e103f102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bd26.TMP

Filesize
874B

MD5
e7ebcad19bc3f5f50c3d77f75dc0d508

SHA1
6ed4a8ede1fc4af956045bb8b8a14c920356c8bb

SHA256
e4dd6e309768fd3397f06d08498606d5469f09c6498e4e64e8de066a5733f195

SHA512
c802b790a82961b7e4f9c8a6aacdcd8563058df92a35a698099c8aeb1815a02c24b7c737a128f0af41b1f8b15e6422b9871cef293b59e2341e40640157566067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37bf6d1f7d13b81598de3002486e0d82

SHA1
3bfdc96e07a92c6ef0cb22292da8c411baefb708

SHA256
4c99da24783ea46e42388ca4a5aefc031159cbdf86ec6be56feeee024ba4f490

SHA512
7c1784c3054ff5cf5ad4946fe141a594990dcc3504e3651c5d1520448d123b6bfc5222f6bac5e2261e9cc48e8998f2cb54965a54ced2e32fa8a6ab61751b4817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
05bc1eb5908653db3b98749bc897eb8a

SHA1
b8ec6f848668460992ac5ce89c21f59017320448

SHA256
db657b8fcb3175e80592d92ac538f97f0279f42fb3c2c358b0ebae7506d261e7

SHA512
8e5cef52a1b9b1fa0fd6592e5c87a15a0c9530a15a1c5b1b656320a76d107b8f0a2f5ad1b526bcc2a2743557dc9a59929e20d82759133e1dec040e863e90c668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
227d3413339d00ec3940714182f81a86

SHA1
610c8b7c0e91d382dc799ff6bf3343bff4082b77

SHA256
87bcebc7d4487a822feba888d4ef8ebd01dfa7ed1478ed9dcef1f9f1cc665836

SHA512
07e5388babc5394eaaba0c374b3f803f097da8f45d107e926fce1e0451fc405350b8443cf66c2cc1ac463e69d3ae030e04237864d7e392a891c0d19d14b614a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93D.tmp

Filesize
1KB

MD5
82a64a0ebbe57aa1b9147caf06081350

SHA1
5abe8c0bc41e6b92b7d3c837828c34b920d1699b

SHA256
153e44e35a777df8230ec98139257cddc4aefee799b283fc4ebc651a2b61c0e2

SHA512
d7a54f0a515251a940e991e6c44d1b2996f0713aab7931dbcffd5a3d70c096e634ed8b82f9abdaff3411fa7f46e2fb517b203b680e889784866800bddce550c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk.6pv3

Filesize
407B

MD5
f727cbb9351106b2dd46f3ef649f3176

SHA1
5732055ec636a4706c6da6857ce1c1ebc1bc86e5

SHA256
cf116b33831de9f80847abdb2a0d92ab3d3f956a8e209ec95d35d986eea8c7b5

SHA512
01dffdcec62254701b9523bca7f572c1f5a5328a18c01fd6590721aded39d86db801bda23bb83b23876b67101991426a5c54087597971206276eeb18dd70f6bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3a452fa4f65408c20c6673bf1c510a48

SHA1
594ae9dae87ea98d0b3335fe954bb5c04402754f

SHA256
ab72c283dd9289bf1f31309218ae41b5b14553b0bb137f55841f90f3695de217

SHA512
82359c39503921c210046c7e51e46fed2b3fb9bb0d412c6e3e36268cab5b11642df2fead52815f09a2e1aab44c195951b53cdb7e354b10e1c44bf75915c26c04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\875dff76-df06-48f9-9286-464bb5366f9b

Filesize
746B

MD5
575b503baf7e045cfa91dc086b918da9

SHA1
b4a4f51f9ad52c2a9e93a0b790fe408eb64f7d25

SHA256
fc8f29bb7579df38f501da3f8ad3b304adf17482a87cace2b2809e58075d4c6e

SHA512
fb9d4abee49e390c3adf8e696eebfb70ecb6f0e355880e86d04a1036ecfdaec8e4c1f4f511e67b86245057202f3400cf813fb35a0e96088ba2135167b19dee3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\f085b9bc-238e-4b4c-bbc9-5755b8a6f3fa

Filesize
11KB

MD5
7729e517c2afca6b94fa83163805f718

SHA1
7b02e30c2af7ae4e084c0e7090a9e0bc2fdba63e

SHA256
008f97cc42fcad8c328db1dec9809fd162814839b2271efe0085001438704337

SHA512
c0af8d8d25343d972aaafde13b49fd8f4a5c19c330e14104cf8d069b77465055ef9280292e4d9c5a41d8cae52c90a3756a61ae6e34d448c5f412e99c0f89149d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs-1.js

Filesize
6KB

MD5
096ee28c07f4a48c57ef853326fe3964

SHA1
9c821ab9726c271aae0ff483d607a37e7b8bf957

SHA256
be9eb319aab58f5bd428b8872bde713041730a6decfdb375a978dc553a9df07b

SHA512
1ef088d079bed7c2cf135a41260fe1b46c3952989e8159ed33bb2b552610ee2d9b2328017c8368c20b3f28f6c7394130d688d3e46ac942acffba6a7dacc2d03f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs.js

Filesize
6KB

MD5
60e6643d161a37b273fced8789013511

SHA1
585e3e659fe2d26e28de377309aab36d0b67188f

SHA256
303f6b074bbfeeac0fa59476207ec095dc026fcddbe60d066233709405bed334

SHA512
32faa14755589eb6965912e03247fd7b88771e15b5ee042180109c695562e0c3c217c1bba591fd765f915ea20f06b1f788c7c0c4554c04150cefef291b678be0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionCheckpoints.json.d14z

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore.jsonlz4

Filesize
882B

MD5
6af7afce6ef50033ab10ef58b0cedc43

SHA1
8e5c6821d08e24a4ba8c88714da7d8cc2ba74bfc

SHA256
6c2f261ae65b16eb12c2caa43622e393951958083ec2fc81d5a83da6ed9ae10a

SHA512
5ba9a2271d9ea9b43bf2917a7bd994bde7ca8afe62cbd9f7f23b25180f3bf0f83e8bb38dfc1261a93690776817c11fe4965dfa984448b17af030b748bd242344

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\targeting.snapshot.json.pthn

Filesize
3KB

MD5
4f4a0943b5784fe752d4ad1a73a21254

SHA1
fbaf30a8ccb7313b0f72a29b2b1b0ac303184cb7

SHA256
0e1cd524d7d87bb6bab636810431fe147fdbae2f69711ab7c06916e809a913bf

SHA512
4980e0e8e13e41a6e8545788befc7ea2289779079194e2cde8deff9797fe4bac0de9078e13d6b0a12a92db38db409f57f648f83194a2fe89598ecd8215da6010

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\xulstore.json.q80d

Filesize
120B

MD5
05e1ddb4298be4c948c3ae839859c3e9

SHA1
ea9195602eeed8d06644026809e07b3ad29335e5

SHA256
1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be

SHA512
3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e

Download Submit
C:\Users\Admin\Desktop\CheckpointUnlock.dotx.tnol

Filesize
756KB

MD5
f847b94c984d36a02bb47e44b384943f

SHA1
1be95b299f07ae1674b9c4792fd39de035c783d2

SHA256
e9ad6e2b4fd47e73b80846b5d04209eacf577b5a226b71cfba3d9160b1963622

SHA512
45023900103e3bf31c96cbe9e711d56f2d74a9969e3772396b789472c9590ee82fe4c0f7990721832e4be1d9c8cf110edfdecbf8d867de998114f0ca36199071

Download Submit
C:\Users\Admin\Desktop\CheckpointUnlock.dotx.u4gf

Filesize
1008KB

MD5
6fedf1db0933ddfea2195f02250e11e5

SHA1
1faa3945109960df7d6a5329a3f916e728374887

SHA256
2e24cc807d45f0dc3b33e5b0342fd86a046650702efd35377f240e6576d11e9b

SHA512
3c87e566ee11355460992c64218e6e4f133da6f4e146663ea71d8eaeb192e2f06b3f9c67f9485e89913d29361c7cd8647fac98809b8a7003994066447b896074

Download Submit
C:\Users\Admin\Desktop\CompareRename.dwg.5x6y

Filesize
493KB

MD5
47173dbee39ba716734f8f3aa397a6a5

SHA1
b0abd41d3f022caa12698e4fe441a28835e63faf

SHA256
152e02128484d3c7f68cedb1557c1a6011a9c806ff9e4faf20a92d02d0d3be69

SHA512
71641de17f21b996a016c16102972f7cd55ee556c136e779aa4db4840ba669e912a8efffacaed95e56315b75846d9ea3f281fdd263e978b4a310d054b61700eb

Download Submit
C:\Users\Admin\Desktop\CompareRename.dwg.lc6u

Filesize
657KB

MD5
2f5ebb723f51eee6b0de3335daff7d39

SHA1
5e8effb1117c289ea6789fd34ad194a67455f88f

SHA256
acc6cc32f0298f59a5f2acc28714b4b43bde03f8f7a54d3a8bdffe59e1653896

SHA512
fcb6e9175ce0ba1d05a33e06b62b5698ff7eefc6c9ab1679462d44cc310391e5799c3d4a9d209c9ba5ba26d9a9285e4286717c9f278597167dcb0faec2e9a6d7

Download Submit
C:\Users\Admin\Desktop\DebugJoin.mpeg.bt1w

Filesize
690KB

MD5
eb0214ad1f3d84179d5f026481c99885

SHA1
5f019527e21fc8ea04e4f3309a0c4f78523b1f42

SHA256
6326e9cb9663b8cfe137455564b2c198fa3a1126d3554324a5a5cca1c8f34e11

SHA512
e393b46eaf82674e32e377362186618966524159826a69cb30c753821257dfab87754652049fb7b6d4c56af836fde62f9223e2307e42d36f58e19d2e810464bb

Download Submit
C:\Users\Admin\Desktop\DebugJoin.mpeg.v678

Filesize
920KB

MD5
018d30a00c997aaad803d1b750cdb229

SHA1
44788f156b7eab7830f2b1c2cd1d4063e479e38f

SHA256
b4076065305cea82133723e3d69a2552e6688186268a7d14b01cf44afbd7416d

SHA512
2ba939198a9a34417c8aa21ad7988b7a94c1b8c05c2885937a52d6a75416baa302df72dd72e083ef4f36fb5cba94c80f7d3d049841ab0c9fb26f6493d5faa43e

Download Submit
C:\Users\Admin\Desktop\DisconnectImport.jpeg.0f6m

Filesize
602KB

MD5
9239fdca5c28ab2311c81b4959eb8a04

SHA1
663efe77f725e89ece06aad2df978bbb0db19489

SHA256
af38a0773d14009734699d72a2c868d2c35ce772542a7938c3d14dbb2f610e1d

SHA512
2f254333bdab537503159a57a593f55a55d0554f6dd93fb6121fc209943ad2ece68e1bc57bccb195750f159bf156fd66d1093e60bb893529007568e05c622f02

Download Submit
C:\Users\Admin\Desktop\DisconnectImport.jpeg.5xwe

Filesize
803KB

MD5
30eab1a3bab5736e8dd5ba3c01da62d5

SHA1
952b3c76e4e4cbd1424fe3011136ddab8a1616b6

SHA256
87a1d0ea3acd5f739d6e43ec5c1fbcf691a2b18ad7e9275b18f28ddff8fdffdb

SHA512
b93e323781940f97d0c9891d2472243c64dad9ba1c1d2a135a1a66cc47867df75802fcfd208edb9ce5a908abf2434b1bc001f1b4695eec3be49e422378e23806

Download Submit
C:\Users\Admin\Desktop\DismountUnblock.tif.svit

Filesize
317KB

MD5
e36d14a59bb9a0053e9866877b5d6427

SHA1
4046e93547786f51c2daaaae99ac2aef872a1eb6

SHA256
f0989fb5f0bae7be3cb602dd712160932ec235d16d5ed588ae2a742519f706bf

SHA512
36b7f8be5684ca8e5bbdc359b8d61c6770c31b76a91e295ddbb47ec0089b5a32ad1b391b423b0954b50a9cabdc573508bee349a8ff4bc8aa79af0eba083ee442

Download Submit
C:\Users\Admin\Desktop\DismountUnblock.tif.xeyt

Filesize
423KB

MD5
324c347e19c6239619546282cc494402

SHA1
011d594654a80c98695de6ad45902250cceffadd

SHA256
06607f0a0b006fd700fc29005c116bd70945cb3feaaae2109b31186501aea443

SHA512
1838a35d101789d3e1d676364ed0143da1cbbcd466f20d7195e0187415880e01d31cb9d42ee15ba799fc1943197b31f43d27ddf5a13466c842eac978a74b5a89

Download Submit
C:\Users\Admin\Desktop\ExportNew.asp.4x68

Filesize
909KB

MD5
ae84a049562e3ad91c15c825004c8fb6

SHA1
e7e31208af0e6c13502f2178b20e9adb34ee896e

SHA256
63c6f6d6893ad91f1e703fd3847bf32b3e89a800b4502e4fc52d5826e1a8d1e5

SHA512
271f067c99e3e7b923d0cc5af4a5adb78cf68671f37b9f74a0c0de90be5cbb6571d0e9db05cd66afe4ef5a9c9b9aa9e3dceb7500be9183bbf09bb52a98d4abd6

Download Submit
C:\Users\Admin\Desktop\ExportNew.asp.90sr

Filesize
1.2MB

MD5
91ae42fe8b03681e59c5ae020b1eab0c

SHA1
27e1bb93ebbe16aa324a026119b5589f75b0c78f

SHA256
6d0201ba9d9ee6aa66943a6a7fa892d4e9f3dbb1e308a3b23500593065190c6b

SHA512
3759036ceed6aee9cd3ffaab3c7e62ee73c7505e4e9bbaf5cde3dec9d922c0e8526ba1cccc58e0dded4fe4578f28b15eaf01ebcfddfe84c9098544fe1cc8bba5

Download Submit
C:\Users\Admin\Desktop\LOL ransom.exe

Filesize
23KB

MD5
c03d16375f97405814f8634857152c37

SHA1
117a2775c35da4549833adbe8e208c05f17e75b3

SHA256
68bef5139b0af7cb84f948a671c30a2aaf42f0f13c40559a975842432bdb5b20

SHA512
bb31efb011b68ab79c5e0cdafcf98f5d9b11ee84fcb2dae99105190ba1152af82fe2df3cf32671285dde37c5177eb9b2a7bb849b5d0f32d06e957b2eff837285

Download Submit
C:\Users\Admin\Desktop\LimitGroup.potm.h48r

Filesize
405KB

MD5
fce16cb2ff303c656761ce76eea3ede8

SHA1
830e4a81f1bef44e41ee84196eb93cf23284ffa6

SHA256
ea3a6992a5c5fe91e7cc606ff9c8c661e01163ec6de6083233e3264ca19efd78

SHA512
e5d1bfc3558cb6e50827ea3b1a63bdc40ef330d3a6e532405f9244d87843bf4a90573f643fbf17c61e5a556b5679f7d77a784e4253fc66bd089cd595ef85b5e8

Download Submit
C:\Users\Admin\Desktop\LimitGroup.potm.ln7d

Filesize
540KB

MD5
f15643527793f1f5e2f553b856dc7179

SHA1
20d95605450258df0d07e892048be500c2c8847e

SHA256
f52c9043324a96afd011c6f756f4431425c96325ab84263fd91b792ee2b52d33

SHA512
14748d0d1ebc36e370866139399fb492e76d2ad57a57a92a1a67f2066511d3a8d2cf9d9d6d447e12d562b323c171beb9a23086c876f84b7720a2c249e73d5276

Download Submit
C:\Users\Admin\Desktop\MeasureRemove.odt

Filesize
515KB

MD5
2a981a5da458e3e983abbc171cb967c1

SHA1
f13b7f93187f6b10c9db1a91a8ca2bc20f88427c

SHA256
2f6fc00d98d525ad9d90fdeb0e2337cc330faf42f5e172c3a8325f306839680d

SHA512
933d635fc5568076e0a98e20eab7d4cdf1d840110fe2e149f06f097633f6c1327db11dd068263e8a446d73334858550b41b68934ee4b5247f2df10844d4ebaa8

Download Submit
C:\Users\Admin\Desktop\MeasureRemove.odt.dvfx

Filesize
686KB

MD5
0ffa2050c41cb673d01ee1c4febd03a9

SHA1
53f4a40f1ea76a61f19220aaa60435e45539c32e

SHA256
3d86744f2b5dba561f80a7cac77210723964bf0f58480fada21ab34cd5713074

SHA512
c4ccf69ed274215f6dada1c6eab57d98e781e18b93457347cc4e5b0ba725214c5c2d364291ac0b593a47f018216bf3cab4f7a234f770dfcc81a79a2fa74a65d4

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk.jfis

Filesize
3KB

MD5
f555bf68721d7971644abe6743ff1921

SHA1
3c6e26e93a34ba319a6672900a0dba1ac7da84b3

SHA256
a412ed05ad717a71272325f9a02ac448d03ef777f5a61f41272c2ad5f3957a83

SHA512
4d5717da56423fde1c05642382060cd051f9203085bc535da22c8b8c930ec7b7d6e0878df6f1d9a5936aab097bca7f7f2ff5da8bce9a9a978bb49040bdbc9c32

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk.zq8v

Filesize
2KB

MD5
6956dcb45a100b3fbe3e25c738a0560e

SHA1
c6ce22ff3f84d0143cafad68c545949bffe9cb01

SHA256
16f3583a61350ef865ec5ebf02aebfaa322eb44e00f3dc3e64c5b849af2f6d31

SHA512
a84fe9c763cbe2ccb6b35dcaf0c7945459d56f36006bf586a525ce5aa8c4616d85d3b4a82c8c1583bde521698c3f14794fa3b53aa0e8fcbf059f2c0cc96785f0

Download Submit
C:\Users\Admin\Desktop\MountNew.mov.al6v

Filesize
580KB

MD5
07932b89fee3636e0bfe1586f8324f1e

SHA1
fbc350e379248e5f9b74dfb014fe380403ee9932

SHA256
610907d9431357ef2b1e293888a435367fd29d599ff9f89cb940cbdec6b2150a

SHA512
6402d00ea70b53b02d6f40f83d89a9995fca4696adf969e6bbbd2a5e3587ccebe69e8ff7550f2f3cf6e15a35dcb7dff10fa0c9bad00adf8f463781693f21df60

Download Submit
C:\Users\Admin\Desktop\MountNew.mov.x2lh

Filesize
774KB

MD5
483819fcae717bb40b86036157c23a19

SHA1
66b0a6e14eac88502d11c02eea19347e4951f51b

SHA256
ae68ad0f7f783142bcd7d87c0a6d05d5e6e71308e751ece98a0d899286270221

SHA512
cb7589eacf593a5ed7683201603d7458b52dbb648f5c0401d34056b1859d058512a7f7060e0a2ef87f819fc09a77e5495591af148f31a5463818f54961d58075

Download Submit
C:\Users\Admin\Desktop\OIP.jpg

Filesize
8KB

MD5
de3d6e3936a38a812ae344cf9f48ec23

SHA1
6f68ecdcdb31cba99308de934ed280dca8c9209e

SHA256
9bd1510d3d9c56137b99b7e3068e09feda4688ae6de67c7f2905a8d83714565a

SHA512
e4fb57a0cdbb37e1f924a0cd691420efaa66ab899d84fe371f1751453262b5032f3323c090010a31e0bfcab1454eeeecd70a84b6067ee5fa49378e2c365bfb43

Download Submit
C:\Users\Admin\Desktop\OIP.jpg.pcln

Filesize
10KB

MD5
ba6a1521cde429df2fbace5386b8dba4

SHA1
624e67a3e9162919eea13eb46a7897890a961dda

SHA256
c702ff8f608d30be20ae41288ce3f5e9fb32d339b30b62d451912401263e9ff5

SHA512
627090e3e6816ec5d58d7484e4be499b441c6c059d953dc9a1c448194fa6207aec6291250768dc06ff2a6a99f400909579de01894a1824043b8bf1f6adb718ca

Download Submit
C:\Users\Admin\Desktop\OpenSet.svgz.134j

Filesize
913KB

MD5
fa1f96e5913a47e9f9f4dcf89d60da0c

SHA1
81211dc3437c4ba9e8063075ab28873d7ea580ec

SHA256
6cf291f0c41f750fd7cdeee996549e6fbd9009b82f643c134cd19dc7f12de4bd

SHA512
01e02526bf1416bdcd410fce0162cbc7118c62ab030a75e62fac2536a1222d1ac67a0a23970c90997f05dea050e82f2792ba46437ecbb4430abd33f4d90d77b6

Download Submit
C:\Users\Admin\Desktop\OpenSet.svgz.adfz

Filesize
887KB

MD5
8248b52c702a9c8770622a4bba3973d4

SHA1
89a84996a403e9ffd5fe37f94aaab9b8f5c20ade

SHA256
a6d167915d942cb93281d667e8f62ff9933ce3d7b9ef4a9eee03370ac169fed7

SHA512
61f9b01bff84c2db8b3f6bc31d122fd64160992a6a22de2cc293c12bd87823b2cf3e152f9072e4f0564cfb33f151b7f24489feb49c52a46f280dee476050f325

Download Submit
C:\Users\Admin\Desktop\OptimizeUnblock.raw.ujm8

Filesize
646KB

MD5
a03f7b5235633b47a42476ab6425fa80

SHA1
ff3c174c59fd593b0a62475f900e69c78faff64b

SHA256
88dc8bf33697400628dbe54caa944ce9d72abb87b720fc9272e9cedcdc844328

SHA512
975b33841528014c21ab2d5a142f2f49bff5e6eec8964481f10178c8fb9b7fe90e53fdfe41f178655cfae962d19faae42eb9d2bb5ca888e66b56baa4624b2f8a

Download Submit
C:\Users\Admin\Desktop\OptimizeUnblock.raw.xduq

Filesize
862KB

MD5
64a3fee003c5b0425a9d5ef134f78db2

SHA1
84dff6f415812364fc73d0a17b262973972d553c

SHA256
04151f151d18b07caf6f76e5fe78cce4094b129ce079a0df6aa125d1e7385ded

SHA512
1b896081274fd9283b6cb06c881573794691559f369b0f3d5cfda8db0ddfb7b5173d2c6dcfaaf501e30d65926fb1d188694bc6fb8f3bbd35ebe873a54acaa7b6

Download Submit
C:\Users\Admin\Desktop\PublishFormat.xps

Filesize
1.2MB

MD5
a8a61b9f95cc17d04c9c383cb678d3ab

SHA1
f555aac889ffb3c038799fda84b062ba9b436d8a

SHA256
f37764a80134411597f9aac8aaed8ce4470f5767c465675e8f5b952aec8d22d7

SHA512
105ce564c17555ec1ea8f5201f8f1419a5b08520918b0b306f3a2862d736ca259c66a48a533d59aa5b1b2a9e4b03d21cb65da5f01a69b053acff811fb92c9fe4

Download Submit
C:\Users\Admin\Desktop\PublishFormat.xps.fwfu

Filesize
1.6MB

MD5
e6164d68aa70a6aa86b7e140110aa56d

SHA1
9af47c69a1240c42e0e94d91881c05e29416e170

SHA256
66c660619470f59848796080511c3ba0ae8cf98cc05b5df7b9d5b75fd8a9054e

SHA512
fd5192902fec1702d2f711706a781bb93798f275575df7d76bb3df9232980aabf64321ae4a5d7753e5168820cf44657b38e5d78a0e401877db9c19d533bc3e1d

Download Submit
C:\Users\Admin\Desktop\Ransomware-Builder-main\Chaos Ransomware Builder v4.exe

Filesize
550KB

MD5
8b855e56e41a6e10d28522a20c1e0341

SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01

SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

Download Submit
C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\Decrypter.exe

Filesize
218KB

MD5
97f3854d27d9f5d8f9b15818237894d5

SHA1
e608608d59708ef58102a3938d9117fa864942d9

SHA256
fac94a8e02f92d63cfdf1299db27e40410da46c9e86d8bb2cd4b1a0d68d5f7a2

SHA512
25d840a7a6f0e88092e0f852690ed9377cf3f38e0f2c95e74f8b2ffea574d83c6154cccdbf94f1756e2bbdcdb33b5106aab946644dedc4ffaefb6bf57a866696

Download Submit
C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\privateKey.chaos

Filesize
1KB

MD5
f9988f0c28b00f5d5e9dfbadb26c726f

SHA1
2e7d772218116cdeae613f753de227aa85cb750d

SHA256
d9db2ae73f84da29b9935e20d70eee553c74f630593d4d84baca16d452eab909

SHA512
2e520235e72e4308cecbf7f73dfe30e5db6a7301913cdc83b9848ddcdce3d4f28917a764430bf6cd267838e8f11d6df025995a02008ca25cea2fa84a4d3c4ad9

Download Submit
C:\Users\Admin\Desktop\RemoveLock.css.ukn3

Filesize
778KB

MD5
23353a3bf29f8b876ef88d053096d207

SHA1
2ccf4e0e41b329178944d11e7f213dee9e15f661

SHA256
cccf04bd687bc971bd318bd1b4989eb1cd3f1ba8635983521d1f146eb62b9ce7

SHA512
1174088be3c63d0f0cea10e2f87b97d77aaf9296b00b93c866f5f0848f363927d3fdd650522904363187763e0808e4964f8734093c7d837a1d937879aeaf62b2

Download Submit
C:\Users\Admin\Desktop\ResetGet.ppt.9j0j

Filesize
734KB

MD5
2fe9a05057d806b65bbdfebfbd387476

SHA1
e20a8c0be6e42395df8c569c284f19859bd9a61e

SHA256
889e9a9e430fa452f9d79061ab531d04c27a0999fc0cd9d4cf80f2d2fc7ff7a3

SHA512
8e0e19adc5c9a1ac170be0e99380fd5c91fcf7861e3043e9e2ebaae8cbbfb92e8383a1a01c6eb0e04fb7290e0eae1bf73cee6866f3c6ef5a180617d62311ebfc

Download Submit
C:\Users\Admin\Desktop\SelectExpand.dib.gllh

Filesize
624KB

MD5
1b2612b7b4615a01fc5bb42ebbb4180b

SHA1
6b5b4c97ca9a99ce909784603f9776c444675a78

SHA256
be4c45ef4afac64e215e18f0a0934b5439f023a0904cfd4afb3d8e9681c20cec

SHA512
247dc7dff4d8935bb59cbf231a5620e02691d3c7ba54a9d0ef42e3d9d1c047da4f2ad4b5594a2707ad00cebac3c9dec3f22c16c7e3843469825de322b87fef5b

Download Submit
C:\Users\Admin\Desktop\SetRestore.wav.yxwx

Filesize
799KB

MD5
0a8590d86e2bcf880d28d2ba2a5a4793

SHA1
a60369eb6e4470f9b7980b7836127de988b885a2

SHA256
3fbdd9b9ff13bac28cee281d08c4d0b04081aa0ae3c74743ed74f996796e2ef6

SHA512
cbe64cd5add25f57f2d8cfa352eff8df939ce179b4128fbd592731dc1af874f098a2e1bbe5e4d0bed95e85e2f1b974b0de699a4f614b0284e9ab3ba224e01eb2

Download Submit
C:\Users\Admin\Desktop\SplitOpen.mhtml.c77e

Filesize
668KB

MD5
60cf7cc936cb44d065a95329887af352

SHA1
0984e3ab993b98dbdc27d8d996c074afb33dadcb

SHA256
7bcfa3d3d62d2e8922b8aaa7fc92b6f4296538bc7611a6a3a15c90fa750b9ab2

SHA512
24a7b2fae048087e76a12a41a5a0728af894b1f83c91f54640ed9da425c6e2f644f11f49a1c82edba53788606a5785c9dd25a94c5648c4ffd9e88f3b9a8e221e

Download Submit
C:\Users\Admin\Desktop\SuspendConnect.odp.zj6a

Filesize
427KB

MD5
b164a547594b27b4bc8886e3866b7e39

SHA1
3ac7ff30117c0987712aa84f21b5e0b0119768d1

SHA256
5079fc3c56a654fa2c5a0a7b666b9820ea2eb537a515f09c6e99d56a7711341e

SHA512
6e3b530dcf5afa8ce5ab88f7155daeb9f01c7c357547f891bfc0042c66c0e55878fe98539358149afe65922baa21e2c3bcf2d0021e0dcb45f8968aa6bf4e6fbf

Download Submit
C:\Users\Admin\Desktop\SwitchPing.m4a.r1k5

Filesize
558KB

MD5
de6100a6605966393f565a2df5dcbc3b

SHA1
8184bd6ba15b33900bfcbc966ad9c7af435a7c03

SHA256
ddbbd9fd08e4d2b6ca505f2107d07b4be939f67d70c483df0648d871fb941527

SHA512
d5712788ad42c6e0cd29214a1f4793bbdc0a019181a93bb9311f3760796b354ca81d10d7527aab4ddace28b219c62af6a73717b0df678e2aa30208653aca10fe

Download Submit
C:\Users\Admin\Desktop\desktop.ini.1eoa

Filesize
584B

MD5
aaf11f800eef97a072b8dd516221d101

SHA1
39787bac1235c0ef19298cd775e2f728b9eda319

SHA256
d5e09b61eec20c1ea7f2d029daca5f6292cd9bfda0d953c4a0dc5224ae46a3fc

SHA512
19de3dd1dc575a599ac929fbdf44cef7fdd22274dcb7222d645dafa95de21bc5ca706cd84e099a37a9ed535032bfc26317a1938efed84c910636b1f9e6fde8ee

Download Submit
C:\Users\Admin\Desktop\desktop.ini.xzzq

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\Documents\read_it.txt

Filesize
964B

MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
C:\Users\Admin\Downloads\Ransomware-Builder-main.zip

Filesize
131KB

MD5
2f859950b215f4eee1e00bbe39207212

SHA1
31593e690a1e02c5a19f24d65b2ab0022c136a0e

SHA256
4b19ad3ef396d68d4ad5457be25ca636d22e1bd848d3e4a5211b71da58f016b6

SHA512
4948afdce16b45abed05df9d093ce7286637beedf7fd5d1f1915638914ad1437321128b125653849c27161d1994acaa8a648207a326af922f7a4d59740d94d48

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini.6khh

Filesize
392B

MD5
0dcee22d6b6a21b0c79857ab290dd413

SHA1
6d348619bb9d36396a649f402dc9e28a8b1fda64

SHA256
60e7b121ad9b71d37ab5389bb589540803d16a120c25fd5c495a3f05dd0eb1d6

SHA512
6f8225f246aa6366fdc844b962e70d9396dad066c34ef73d902d521a78c690f2aa1494bd93eeae3fec468b2e51c9a9e2c5df273879cc0b43d9560ae12e8d2f2e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\chqabunh\chqabunh.0.cs

Filesize
31KB

MD5
d06a0e0ab05efd265fe5b2919a3d466b

SHA1
dc65bf44ece12d2a547f7044333de3bb2dec5a72

SHA256
258d11d37f0feef7ddb38d299ea024ad6c1a4cb9f9fe3baa9b83ef45d56cf8e6

SHA512
2c508207e5753edd1379339dee2084cfa2335065a5a97f46dc21b593b64a8baf013cce94cca6188da54b0cf9bec45be9621c4e6c1ed5470b61da82e925942bc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\chqabunh\chqabunh.cmdline

Filesize
336B

MD5
a202b6a7a56cce7e2f3ae78598274487

SHA1
6f7f68484f3fcf0bc213e95de30f472903095c73

SHA256
00a484d2d911c9c7f9f09d8dfae119917998385da7c84125fe337fce1b679833

SHA512
3431e0671999afd3a5cdf0b971c0af64fd5c1d821496bdd1cbb016734bd75dd7cb7d40f0e093661e57fb2ef881fd12a5d2b142eb49f4ebf141badacdf24a7aea

Download Submit
\??\c:\Users\Admin\Desktop\CSCC2F2DD17484343A68E51FF61DA772CD2.TMP

Filesize
1KB

MD5
7c63cbdbdd4b78cc80dc7f898291eb1f

SHA1
d7c549834798922ac8b730851fe4a40d82c0aa84

SHA256
785980cd5bde147508c1a453f68da8f48ed18fd442a6069bcde63ae85d5a90ea

SHA512
8ad047a5f4e32c29510e0f8d1916423dc1b8c85ebc2a3fdef7afcb7225309f12eb960253ec38e71949f6f9a17e3e00eeab921287453c9299df02895f31f30d2d

Download Submit
memory/1460-1196-0x000000001AF90000-0x000000001AFA0000-memory.dmp

Filesize
64KB

Download
memory/1460-1657-0x000000001AF90000-0x000000001AFA0000-memory.dmp

Filesize
64KB

Download
memory/1460-1656-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-1192-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-1190-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1460-1659-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-1814-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-1804-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-2714-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-1815-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4980-2316-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5424-1655-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5424-737-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5424-1187-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5488-722-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/5488-736-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5488-723-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5828-245-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/5828-220-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/5828-292-0x00007FFCBCFC0000-0x00007FFCBDA81000-memory.dmp

Filesize
10.8MB

Download
memory/5828-240-0x00007FFCBCFC0000-0x00007FFCBDA81000-memory.dmp

Filesize
10.8MB

Download
memory/5828-228-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/5828-221-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/5828-251-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/5828-246-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/5828-219-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/5828-218-0x00007FFCBCFC0000-0x00007FFCBDA81000-memory.dmp

Filesize
10.8MB

Download
memory/5828-217-0x0000000000C80000-0x0000000000D0E000-memory.dmp

Filesize
568KB

Download
memory/5828-2267-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/5828-2264-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5828-2715-0x00007FFCC1130000-0x00007FFCC1BF1000-memory.dmp

Filesize
10.8MB

Download