chaos | hxxps://github[.]com/Hacker2425/Ransomware-Builder

Analysis

max time kernel
542s
max time network
445s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Hacker2425/Ransomware-Builder

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\RIP

Ransom Note

All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: asjfkhdasjwhdsfuhawjkfrf6d5s6d5df

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

resource	yara_rule
behavioral1/memory/4460-1016-0x0000000000AE0000-0x0000000000B6E000-memory.dmp	family_chaos
behavioral1/files/0x00080000000235f3-1036.dat	family_chaos
behavioral1/files/0x00070000000235f9-1046.dat	family_chaos
behavioral1/memory/3836-1048-0x0000000000D20000-0x0000000000D2E000-memory.dmp	family_chaos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	Clown Ransomware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	Clown Ransomware.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\clown ransomware.url	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Clown Ransomware.url	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Clown Ransomware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RIP	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Clown Ransomware.url	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.4fnl	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RIP	Decrypter.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Clown Ransomware.url	Clown Ransomware.exe

Executes dropped EXE 5 IoCs

pid	Process
3836	Clown Ransomware.exe
4560	Clown Ransomware.exe
5912	Decrypter.exe
2780	Clown Ransomware.exe
5216	Clown Ransomware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Clown Ransomware.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Decrypter.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Clown Ransomware.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Clown Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Clown Ransomware.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lm1fwrtn3.jpg"	Clown Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xu0yz0wp6.jpg"	Decrypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5nn2ckzuk.jpg"	Clown Ransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000020000000100000000000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	Clown Ransomware.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000215a767abd68da01d26bd57dbd68da01afb07e7ebd68da0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	Clown Ransomware.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\UserEnabledStartupOnce = "0"	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 01000000030000000200000000000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\State = "0"	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000010000000200000000000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
208	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4560	Clown Ransomware.exe
5216	Clown Ransomware.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2276	msedge.exe
2276	msedge.exe
64	identity_helper.exe
64	identity_helper.exe
5352	msedge.exe
5352	msedge.exe
868	msedge.exe
868	msedge.exe
1380	msedge.exe
1380	msedge.exe
3872	msedge.exe
3872	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
3836	Clown Ransomware.exe
4560	Clown Ransomware.exe
4560	Clown Ransomware.exe
4560	Clown Ransomware.exe
4560	Clown Ransomware.exe
4560	Clown Ransomware.exe
4560	Clown Ransomware.exe
4560	Clown Ransomware.exe
4560	Clown Ransomware.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1380	msedge.exe
4460	Chaos Ransomware Builder v4.exe
5856	OpenWith.exe
1468	OpenWith.exe
5024	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	Chaos Ransomware Builder v4.exe
Token: SeDebugPrivilege	3836	Clown Ransomware.exe
Token: SeManageVolumePrivilege	5892	svchost.exe
Token: SeDebugPrivilege	4560	Clown Ransomware.exe
Token: SeDebugPrivilege	5912	Decrypter.exe
Token: SeDebugPrivilege	2780	Clown Ransomware.exe
Token: SeDebugPrivilege	5216	Clown Ransomware.exe
Token: SeDebugPrivilege	2380	taskmgr.exe
Token: SeSystemProfilePrivilege	2380	taskmgr.exe
Token: SeCreateGlobalPrivilege	2380	taskmgr.exe
Token: 33	2380	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2380	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe
2380	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1380	msedge.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
4460	Chaos Ransomware Builder v4.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5272	OpenWith.exe
5272	OpenWith.exe
5272	OpenWith.exe
5272	OpenWith.exe
5272	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2584	2276	msedge.exe	87
PID 2276 wrote to memory of 2584	2276	msedge.exe	87
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2620	2276	msedge.exe	88
PID 2276 wrote to memory of 2052	2276	msedge.exe	89
PID 2276 wrote to memory of 2052	2276	msedge.exe	89
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90
PID 2276 wrote to memory of 3784	2276	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Hacker2425/Ransomware-Builder
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc777846f8,0x7ffc77784708,0x7ffc77784718
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6888 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12368916160828321111,4947779147657673075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:5436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1768

C:\Users\Admin\Desktop\Ransomware-Builder-main\Chaos Ransomware Builder v4.exe
"C:\Users\Admin\Desktop\Ransomware-Builder-main\Chaos Ransomware Builder v4.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a125wnd1\a125wnd1.cmdline"
  2⤵
  PID:2208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65BB.tmp" "c:\Users\Admin\Desktop\CSC12080E0D67384C72846DAA9A3C8A294B.TMP"
    3⤵
    PID:3512

C:\Users\Admin\Desktop\Clown Ransomware.exe
"C:\Users\Admin\Desktop\Clown Ransomware.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
- C:\Users\Admin\AppData\Roaming\Clown Ransomware.exe
  "C:\Users\Admin\AppData\Roaming\Clown Ransomware.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4560

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5856
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\RIP
  2⤵
  PID:2592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1468
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\download.jpg.uqnz
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:208

C:\Users\Admin\Desktop\Ransomware-Builder-main\decrypter-decrypter\Decrypter.exe
"C:\Users\Admin\Desktop\Ransomware-Builder-main\decrypter-decrypter\Decrypter.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:5912

C:\Users\Admin\Desktop\Clown Ransomware.exe
"C:\Users\Admin\Desktop\Clown Ransomware.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780
- C:\Users\Admin\AppData\Roaming\Clown Ransomware.exe
  "C:\Users\Admin\AppData\Roaming\Clown Ransomware.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:5216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5024
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\RIP
  2⤵
  PID:1396

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Clown Ransomware.exe.log

Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
49KB

MD5
1538b116ac1d82b34723c14506c116da

SHA1
915f43aa05de689aa64f33b842d1b5df7c62d7bf

SHA256
05337bfc960a7786bb8af2c8a19d203c099ca83fea11c1056612ef7d37d89b3d

SHA512
afcc85d5e84e87433f21acb5c6efb7851389ca65f208a1d86914846b0a90bfc14992218fa3b77c3235021ffd6fc2f184a0b730be8c47a3336191996210179f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
44KB

MD5
068b82e64f390ab4e6d01d146fec74bc

SHA1
e7f8e8813681bda3adcc5896c4d235ef3956f7f6

SHA256
66f26afca99a9b04259a6dabd2bec30a64fe445666ecf389f2b289956eeb79bc

SHA512
4afffdcc4ed500e0e3bc9d8631ed64da49663687b43cc3eced4eff6832c3335f0b2e794e8c77cfff4849cd19446b07099ca05f9a34cf79b8de3bc2a8d1668f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
24KB

MD5
dc0ad025509c966716f971b6e0d36ee9

SHA1
64c5b5b0bc022961bcff062467df6cde579a7d5a

SHA256
ff30c58cbd4693a19a964c528b653c80ce1968b7db93a92a5ee9f3788efe4103

SHA512
3580ddfded853f05ce10d96292ae23ac2593079cb2bcedd1e5081d99e8aa54c7ec985cbbf29e5961425192a00ef639cc3969e5bc1f6450bcbbf855e3f161ea83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
23KB

MD5
77a781823d1c1a1f70513ffeda9e996d

SHA1
60776ceeb79ed41e7cd49b1ee07b1e09ff846f25

SHA256
b093599957b103def2cc82ffd2d42d57a98292ace5a6596e3e4439a6cce063b2

SHA512
9aa66273ad419e1fc4ee825ec9e9fea4297139eca060572d3f59ed9bccbf2e1dbd03a006a0a35c6d37196e8297ec9a49fb787f0a31c3772b17911603eca62aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
34KB

MD5
95db310266559863c8ca2f548f2887c5

SHA1
ada72e132fbaf9b4baa022a872af8bb6fef5ab45

SHA256
89e059e4407c7283aa9f783949175480804dccc79ba336c04e549e0dadc9b412

SHA512
1f8e8453fdf6a928f8acb446c5a8140e05799e5205b14b51177284bd1aebc9e8ef1b837d4332e4cbddaff3e6a6a23de9265b9320b393bcbe60f7f539db0aa3f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
1.1MB

MD5
a485090392f401a81b2e2c04d1632cc4

SHA1
e35a6f823ed1f2f674e4eca83cd938309c27e99b

SHA256
d4232119397b0952b0e822e2dd3094c70787c18a756ed66631a3e7359ff95d83

SHA512
6903cde04dd292fdeb616d602d69c619e3e53a3f0d46250b0d3f20e8be71990e0df3fdeca4b57bffe5a52db1a4fa0ebe3bb361a833f176ffc1b7ba3321bc39af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
0d7d8ddabaf498944f2bee0bf79be84f

SHA1
67d8ec04a8a0411506df3fece83947dc5ab951f1

SHA256
c671d369db39abf858c917ff153ddcdae89ffe6afc2666a1e0607535f0da6230

SHA512
5573750313b9a4fa6cade35a3df7039ee5c4e437facefed1b2b24f8a2e14941fca6f6896f62692f872afe0894579bf77cbf65835702c32d4358e8f625aa6ee36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
71bce1fcf48a4428f92474c93c8b3f6e

SHA1
916f442b2858aef7365fca1a143f91c4b223b9d8

SHA256
4fe0ff77facc5704e6e5a67a8bf12c381bc95318c9cf8744d5368b77e49ad021

SHA512
15b94211d0c17c29628455add67ae02a31558b678aa46ef26d8048f3e7c016a73f9ced2a623806a80bee62201a9baaaf0c7ce6cff2eb11e457584177f3dcc3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7c554b5ebbbf84adf68fa6be4aeeac9f

SHA1
5d2474bb35e06a0d3ceb006f43c0aff30548c0c5

SHA256
2eca339ac616222b02a4555347fed29a72792976ca5f7458478b7cdc4cc7218e

SHA512
78a6199e785614541f6cb90c297fcc5df0e455d333a167211b3ae5f63f6213228d1d107687da6ef01aaca393460be2fdfab22e89b923d5bb5e1b97d7bc50ef87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
afb179c7789018252f0c79a8b2c91e02

SHA1
be0a76275674ee24405e2cb27946dbad13c44083

SHA256
03093245befc1e19bd6ff163fefc8e12b8d1869cd46329eb4dcff4527a372239

SHA512
5ad2faaaebe9315bfa6fa288313356e4514e38a80b944963bc8a8103309e36a841c41e0809cedaa3e20b4febc7710d1a2fa6ecc7451dbad1728d3661edc6cd0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4c77352ad2bac6a20639051b96401288

SHA1
f1fdf1e08996da0d75adc7585d05dab25f91a811

SHA256
dba290aaaa7cfb55cd0fec6c8fc1dfd3a789df0808564d86c3361d2bac542dce

SHA512
d7326db77050dab04542b15d4b3e6de3559727f9a6e08f0bc62024b5b6fcb29ad4f9390793d43b0625ff5e22a94baf3f234640bf3dd4ec950ce0ab7440eaaa54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
aad2186018c3f3cd7e991fce8ac14da2

SHA1
5096cf995300984bf7c857b11c391da7ae6dfbe5

SHA256
8e456c1a7610c8ccc4acd7fe7faaec7a882f4d35422d4e346ff013c55ab2ddf8

SHA512
9973c571c95bd5c2f028050e4a286a80aae275c42651cda8ddc74818859da66820c703be0f9c22e1e70259814bb5c7e590ca47e3e3a5cec157f1a049af9a3d9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
efbb6ddce06e742e32de845c9e39da44

SHA1
e9c06c9af0a99f406fd22f0199a35432ca220b11

SHA256
5df2689715ac37c646382dfa75bff0aff73b84ec78881424d8671ccafa826637

SHA512
ac1ab1148232af3008896c6dc6fdfc10ed508c43858b50d2f611cc5a362013e1817d93075b028c174352caefc733cf2bceb1dabe627341d844546b0c8b8bed71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c2aa2406c742c21e1a6149c2f3ec4c23

SHA1
d768f8810275bd4e48c5f96c26f9cd562bdf50a0

SHA256
59cfacf0a973310bf1908d0c2f354fa38f8d8ca07b05cdfffe0cfd1f1cf34c85

SHA512
3d6d4be2e685a03a4fb6e1568d8d336425216e55820f2832be6ccf1e641d901ff694f0a9c44d1a6833170bcb4f465fcf66e0d0ac788d8b69f061754f4f99f61c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae76c7abe0213b84f38b10f726594758

SHA1
8cb8c4ce3bf51f88723f164039cf97d5cee0dff6

SHA256
e2d8ebd7a7c7766c45ea28817dced7caaa817a4eb9559158555fe614bc9c6968

SHA512
8c283be6d4acd686947ea95699dc294ee954874bf26b818244baf0db59ab263d489769f521f149c4fb48311f445e31109464fdd60e8a19706eb57524db85b4c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a48086db6950f3db4261f7e55863892a

SHA1
26a39b6596bf26f9cf36fe8eda7a04bdf4b38772

SHA256
b75bda355ffffb132ab218da784362c120ec46587801db162b98da5fcedc4e61

SHA512
64820b46d54a2ae48c560d76d98d3c942571f94de365d49e54485d6a12b179829900aefe00662536d538e1400344475ca116914a0c2b63c01900d03ebd0c0f6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3dd925d287a2989dfc006b2189bb8cd0

SHA1
96f571cfff1d10e4f4f56fe881888005b2ff1f54

SHA256
3da522102f6022fc877b83a9fa4ee58dd994f072f0642082a3ec9d162ad61fab

SHA512
ac13485c0bc16a2ae9e5a5001754b212d8f733c687ff7c91ef312df76d61cc8af0a527b568e221ef1e5e757cd3fb950648167ea93f913211561f8a851670816f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b47b7076fb792a4ff8d93826bb17a9c

SHA1
dd77d242dccf9053d3dd41edd730c4cd33ff57ad

SHA256
4f338f313f0e88b87265fd25aecf9cb74e5ef2cfcbd07524265e23bdec6090ee

SHA512
982bf164b4ecf19848fb7e526af0bf92f12aa032c8bdc92328b477e3cddbf83684a4aa538df1a6d32cc010b0c05a64b572243dde732af10306cd9e89ac1738b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8557058b95ee9ccde8c2695d03e7b569

SHA1
80391a44510cab7d3d73fc25b1475693d7c1e9e7

SHA256
d4c140b80ebac2a772058eb619041a204b61bcf1bb521da031438eea97b2a622

SHA512
aa364bf7549a156219dd40bf4ce9a64c7d4060d38972d8dedc4d5a0d97bf5189edc2c125f6592692706ef579b417a86fc6b4461a3750d19edbeff992bf43780b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b81891d1257b9d737bc2bd6f95dc771e

SHA1
28b95f095c6fc907146ea09f112adf1ccf7be40f

SHA256
959f68c58bc553180f6129963ce3728c9977b44f1b52ff57e9653a768e874a95

SHA512
1a94705b825320723de7dd72d2414dbedca97e03556bab01e865c1c60ee89102e19587a2309846ff0936bd7368a7f752a66fe95bb94803a517738b53db0cf3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
73450af9313ab92d3290fa42883325aa

SHA1
465335d644a099f47a5dd6ecbcc831cc56f18b68

SHA256
913f1150a153085812e6576de1dd31d83976cd803ea63c211931291fb3cbdfe9

SHA512
2366c0240dddc2e89aa392cdd917608bb5ee2d4961050b20320f223688cb7cc27bc93e95cb6eeecd27989df36ad0ea008ea7b0321435dceb92be701539ea2ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
fa661c8f23804646e5b8fb40a9888a02

SHA1
9a00119b1704310258a6b0da0aa286cb50bd834d

SHA256
d4c43ca0b939573982a2b133aad4bf6a5ad0e29f816ff294b1f71e6157f7a8a9

SHA512
f52c4da480d5918483537104f30e88d5d9fe235abf52ece5a73a7a10ccc770fcc3a39f454f9fc8f0c3ff4027b8ed6b50cb46b4125c8f95b43fd07cd4d01f50d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
e006140df6f893ea355475c91fa4ccc4

SHA1
6bbdee1f555c804aa60eab4019412e77b37f5f26

SHA256
43acf88687e8a4cfd5ce09c8f47a9946957086d462d73ad500bb1c21e78afaa2

SHA512
c217bc730298d82330f9f2a23b83f937a0575a5e31085864423d4ead75a92b9d4b2555ab2eb9c6bcd755b35db15a41382315f32835195a40db11351c478de7f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
41852ca9fa7a8af74ac944a47c2a1342

SHA1
c31d69a2c736106ece30fb48c5c73f887678ca74

SHA256
2f4fb1649292b0611aaab44b15a1e2f85a7bce93e975d9ab43039a068e6ffc88

SHA512
44aa5d0d22a72d6a4cb6b22af58dfb248f3aceb9ad905f329e4e6448447256b1df4a4a4e2cc8040e322dfce4de70dbe1276d1a96c678183736737c8729fe5f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c1a226224d52698a13908a3b1276da1c

SHA1
aec783be6bd6dcefdf7db9bc616a7546c729cdd2

SHA256
0874c92ce45b9ed40b6d7d7e4d568815fbed3e02c35fc0c96f71b7f7d4808a23

SHA512
8892ea6dfb90099e1d6add580d34865ac4372ae9729d806f14c2b93d606cb028a96e59c36146f3a5cb6b59e65a3b26e0b5ed8ead78ea5cfd47233e6ba7cb481e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
00924ae03eedf87c4fa83bc3f36d3895

SHA1
6a7dedc43a14dee90c5cd21ba4b25dfe9791a76f

SHA256
1dc05656201622994b5b20f467d2be079635d8113862cc045b5f0c4d855548a9

SHA512
297f8a40b6bd625610b3027101520bce29d55327cd7e917ce2abfee442e422e6cec1c640abdac8f50de576e621a743dc150e3f7da95e17dc995aba059c107a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c004.TMP

Filesize
874B

MD5
ea11810c4f160263037ea1dfd6bb4ebf

SHA1
a3ae7616b89fe03c51fbb43d4f19142adb542b94

SHA256
f2bc621fa84035cb3c0aca2b97d4f16f18f5ca095983f96ecd226bfc9577ec52

SHA512
300c67622c9d67c80f5023cae54c66e29898bbf2128d750fd85908ab0200ab38695eb3556c3573f9a9eda24864bf93e6ec630197d959b7d29242be2ccc212b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92fab1dfba2aea3d139c83b333845f50

SHA1
597dbcb2011a474f91c5d6833d05786491244464

SHA256
f3c7c122c62ce4d05d3bc7b3ea8fab01a27f830eb7b3b02725e772143821e7d1

SHA512
3a9eacc013c03c6e780ae5e8a621dc018d39d1720d72d44b0f592e86509b2172e8187d8c7f685a4ebe43817add6dfd893fa22a2b785db9c7b9835f44139ab3c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b04dabce49adbd0e5eb6f54fc94ce0a2

SHA1
90c01860a50e1450da1d69b09478ca86e747e0bc

SHA256
5e2a987d5c81b08023f97b0842a6a2cecb348b30d47b1ac93de34a9cb8f394c0

SHA512
fc8c87cff344e6a5a5a658362ae55bf56614d8e34703fb9af231996dd8408573ca73df0cbd9d0564e77a58bac17cd425bb4fed8e385e175ad5c9ec8e5334ba42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ba57b5f567de83b3c01ac242600a94ee

SHA1
88dc1d5788f785fbb5f279ab15e83d064d1e01cf

SHA256
36bb4b6ee536b99438b627eda9090c75cce8cfdedcd5b969de7307cf03107db5

SHA512
b7c3bb51c4b1e8596eebb320679cc1dd3c6c7804522fb59589e6b647fa7b8063451f40e29f400550e7144eb6562979d53d60e9bd6e0b0a873a0b803942b7fe92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
662df2d6c77d90ecab939dd6d0f72c5f

SHA1
a6080274376cca1cf71f8fe22bdf5538608d0f4b

SHA256
aa7449d0fc025921792b082843a2990f9edef7fc434ab93ca6760fa9b6f1eac4

SHA512
348f6b1cd67f0e7962f769e4674e9774379c3746b39618ef6b8e21e02865ecd8cc9df7857a5685698dabf9a309f5a66b94e2952574eaa654355b317a5dad98a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65BB.tmp

Filesize
1KB

MD5
d32b30672e6c7f5f09e5c152830a0221

SHA1
8fd1e6b155243446bd27a5ba129240bcacafa7d4

SHA256
c9b8bf3b436c3cba314abc8f8a341326fcb6ed2348ccb83bd957657598fe62fc

SHA512
f3165930855d31e6b56c596011cddaafe22e3eeb330c2eb556347417bee2cd3170492c08ab6808d76a96994c80c850e0f8129014607e208cd10f392dc0910097

Download Submit
C:\Users\Admin\AppData\Roaming\sdf.txt

Filesize
3KB

MD5
7f3055dd3441d257ac43ed60286d12cc

SHA1
ffef9f86d757ceb5a4acb961628e6f4cc8b365e4

SHA256
d05079363b946a44b893afcd70242b10a27716e3d21d12bd8ae82587722e18b2

SHA512
ba0ff997e4bbddf94854c31c0f50d88ec7be01774a5645735f58f66ba7884ec90f1d66004385a6344f4a0fe8d88073a535e57eb4d2b42cf712296ef73d87ecc3

Download Submit
C:\Users\Admin\Desktop\BlockInstall.jpe.4gm9

Filesize
286KB

MD5
4e73e1045e96e4b992e95388ef434393

SHA1
80bfc88d4c3d33a820d0fb661ef3742d2593bb19

SHA256
206766d4b0d399194ca57ffc4dcee8e4da457fcf614fefee271627916935b79a

SHA512
cde532afc271b12f736d4537fa2971a5fa3a2ddc5105d99518a56ec02dd0cb9fdf6aa8fcd3bbb71881517bd1b61ad02adc93703311e4584565fdabe5c255d635

Download Submit
C:\Users\Admin\Desktop\Clown Ransomware.exe

Filesize
29KB

MD5
ea0e478adf0b3f7009307687ae01f0f3

SHA1
5d9fef921662c218ef65298f8736af5df07ba002

SHA256
da74cc5baf42a97ae1217d9df690e4f7aa2723ba224c985c3f0051ce00498b8e

SHA512
b8d872c939af592549c4a1981798279ef77720f075424b90c83f013f643121f9f9a6efb4bb066ab7ea30619bd025c06b82ae81b27823b8941ded7095aa40dad3

Download Submit
C:\Users\Admin\Desktop\ConnectEdit.wma.51vh

Filesize
271KB

MD5
8710470bfde26404706e977d14c52f50

SHA1
c1b6b757f86b672f39c66af71117191041fa70c6

SHA256
7f8217901d8b9014a84adca61b62fcfe62f8bb1d9710efff3b5e123c56acb487

SHA512
7adade6232b64e4bdceb6e1fc0645518ecca3ed1c4a48ee971b6e0589997d619a03336e2dc557fba51d6551378bc708057b0cba90042722c84541d06418cf509

Download Submit
C:\Users\Admin\Desktop\FindCopy.jpg.en73

Filesize
255KB

MD5
bb5802e1bd05b32b62a57481a1c946fa

SHA1
812817b434573965a98269c1b044f31bbe59d819

SHA256
2102d53465f13912d94ef5da082d7fb50939453f997e7aaeefa51af08186d96c

SHA512
ddb580671a7d1effe4f01216ca0028bbe4ead469ef693d822d600d853c23d2ecae4fff95a9b776abbfab9ab958431add8c5eb05f58b8c89a896799be7923a809

Download Submit
C:\Users\Admin\Desktop\GrantSearch.mov.1340

Filesize
410KB

MD5
33132b6829f8d83e081b321bbc90b9d9

SHA1
6f37763723eed58691d6f6edc98b094b888e2f16

SHA256
85abf816007782c0ce197ffe13a6169d1b92460993de417285c17c25c5618bf8

SHA512
d7c6ea4c1b937dafb17a86d1f55278ea3a0a8e1e0ab5a426c6a40a9a05d67f7b50397a8feb82ce0739b2cf314fb37040add086e086da94f02b42c4312e19aa48

Download Submit
C:\Users\Admin\Desktop\LimitRead.xlsm.7xle

Filesize
364KB

MD5
44657cb163f2d0bf618113c9cacf43a0

SHA1
8e2f4a733d4fd0176f9664f91a0eabd9f8938a7b

SHA256
89ce874f0b7aff5fcfd81d3c78044fa93ffdf483c18bc2e3bf044fd9fca922b6

SHA512
f2b2446f08d6692328dad4058e229009e3aa593751479aab131ac6588a27a479c3922184c0db8f7839b4565954be1bc2a9a86ce9852bc8670b6d44523be2e9cc

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk.8vcb

Filesize
3KB

MD5
4607cc0b982715ba8bde02259d238f06

SHA1
f5d1f3cf7ac6579dbb0c38b29a1878a3754a0cf7

SHA256
ce5a662e6cc498ea804316f838aa68d02521d59c8ebf04b6abd65b383f9859d5

SHA512
7d751db57a1f650fcb8c4563ef0f123f091f700d9feb63f0c9868cf0966a893e1e1b55efa9756c3ac35f55647c4c7ca66f4ec9c9617ab27b37643d083ed58f46

Download Submit
C:\Users\Admin\Desktop\OptimizeSend.mpg.bxa9

Filesize
457KB

MD5
ab7ac196c8f1ffa58ea6c2a6922dd34c

SHA1
61dc69abb32e7c1935d3b691c67db4d128c24ad2

SHA256
c76d0a22e9272b7ac65df5b8f52b83c05ea083322de2293a20ed7beb307fb2b5

SHA512
b3244f88bf27288e17b8b2ad65c013450f781782b28d9a0e1d49a788b9648d7be79ffda27c961775c03c0cf0fce357b98921c10df72193eb63d499fc9523380c

Download Submit
C:\Users\Admin\Desktop\OptimizeSwitch.7z.zbtk

Filesize
441KB

MD5
cf7c06566a49c45879fb50f17fdf01cd

SHA1
489593fb637bdc4aca946b84f14055756abbf140

SHA256
505232aa11d33855b8ba6e3cfa3757af9a5abaf6bfd69eeda2a64def03305957

SHA512
ec31af7a83d0000e4d5b565af0316de0083a864f57bf0b1d3d6a1b19ac902397696dbf62ddd084eb160a845eebbfa202458f85e3ae73736e8a24dadb6660b851

Download Submit
C:\Users\Admin\Desktop\Ransomware-Builder-main\decrypter-decrypter\Decrypter.exe

Filesize
218KB

MD5
97f3854d27d9f5d8f9b15818237894d5

SHA1
e608608d59708ef58102a3938d9117fa864942d9

SHA256
fac94a8e02f92d63cfdf1299db27e40410da46c9e86d8bb2cd4b1a0d68d5f7a2

SHA512
25d840a7a6f0e88092e0f852690ed9377cf3f38e0f2c95e74f8b2ffea574d83c6154cccdbf94f1756e2bbdcdb33b5106aab946644dedc4ffaefb6bf57a866696

Download Submit
C:\Users\Admin\Desktop\Ransomware-Builder-main\decrypter-decrypter\privateKey.chaos

Filesize
1KB

MD5
2c94fc637b578e1db28728f23b9be6ac

SHA1
ecd86004d5fede8e6a633329a27dd0c63076a445

SHA256
8a96e5ea4aaa339a626cf175cb31aa236c155e3edbff8a076ea4dc46acfa581d

SHA512
603e048e0e3903e9dfab6e77cd3cca513770f4c1d6a67c996a53a637247f688a36e45b022f5582c7c8742408a3ab90d12c1aa9f3a27722864410327f2c30f9ca

Download Submit
C:\Users\Admin\Desktop\ResizeFind.ico.qbpo

Filesize
178KB

MD5
8fe33214705fd23e4b1e7d79b42ebd54

SHA1
5294969d076b83c09b7a7623c0f093e1fd79e263

SHA256
d3ff1498d98cdae3f125012bdb75e96766fd96601948ebb52cfdab4dbfe8d54e

SHA512
e035827b4cdc12042c510f5d6638029ebaaa43186369c0d7ba46e4c6a042d24f9e1cd39bd51418aecad1838bc840e24f5a0932ba0aeff070a9bcea21d44b9a13

Download Submit
C:\Users\Admin\Desktop\ResolvePing.wma.vt8a

Filesize
333KB

MD5
a5efa4130b8e9e20b39770ac62321b9d

SHA1
f55f8e4b52b5c23581347c145b500a92604d4b23

SHA256
271bef5c7cc35a8290dcb7f236d024ebb8d444da3971d4ba19df4bad58cb6316

SHA512
38803121763d2b3b1c7d313075e33738fdd3fd7604900ea7dd68e9677d5166d770b8c0a253cbbf36de58c27df8805e31fc54152fe22b21176883cf2b8b3ef837

Download Submit
C:\Users\Admin\Desktop\ResolveTrace.pps.nept

Filesize
395KB

MD5
a8625b9f0d94c4546a3ed4cefc229d6b

SHA1
20d30391b5454203a0b46b2af104b5661d170907

SHA256
57c22875382f47dfc211a9f42d1461ea62cf11c86b5e0f15011871edf3e2d5c5

SHA512
2938de9144b3f659eb09c867eb5291db6f9a4d80e35733bcf28f940cb66484fe4427eb0258d6c4551febe48e9c91332819b418bcfb93626dc4c40b1055bad72d

Download Submit
C:\Users\Admin\Desktop\SaveEnter.xlt.otwb

Filesize
224KB

MD5
710c1ff36b9481590f5bcbcb2535d268

SHA1
69d41e73c0e9ba21d5c35d66542d252659f00482

SHA256
3384e740a7e1c1c5c0d16c303277328b883fd0fec07c9af2d7c0ea64f8863328

SHA512
2f727a95c5b21e1bf84698673bc2954c14ef14c695ceceec8ba19bd8dc8a4a287049ecac7b3e3a8d421146cf5ddfc34406ff7de1fe835912aaea5033a47be59f

Download Submit
C:\Users\Admin\Desktop\desktop.ini.jgxl

Filesize
584B

MD5
e50f3ff7ed000b726a3394ce3ca8a97d

SHA1
b2e6f99ef1f6871cabbd10b746a0f2e4a17770f8

SHA256
0280611be7a9b4b11a53912d6801d7d56a4a50be4da4d81fecc66e69424d0287

SHA512
d875bb82e12aecb9c35337f57f597b303e70945df8c60b58c405d4bb916b29013869bd7841b03453905e476f2c26c1ab5f6b7d0f86f767bf52109c1fb1f3148a

Download Submit
C:\Users\Admin\Desktop\download.jpg

Filesize
2KB

MD5
942e0981dd1d842f4b6ec5e189ade49f

SHA1
2f6836d7e1cc04f62337003ef77f1e7ac68298ca

SHA256
ebb81bc23b1d777d5c7d2437bccc709ba169d9a0bae3c4c737c24c0fc75dbe5d

SHA512
a535462769825047cb9fc493e658ce6a6326c6654e470573695a7484bfc035aaa0574a8a3a1b4eb2623f9304e8e4a57a35b0db3e4a5900541b7e27e7d446a4a0

Download Submit
C:\Users\Admin\Desktop\download.jpg.uqnz

Filesize
3KB

MD5
3cb28bfec426d93ed3b05d1b763d8350

SHA1
bf4e91508549e2f747fe0a3b01ce095bfef7c2d2

SHA256
a3ae059c73ddbe2acb93788e6e92eba1ac7fb6f1acc30d8f0eef1c668c5c4e76

SHA512
b3779f9f5277701afded58eaa9225beeb54710b81e51691abf5fd1690cd0819922399a88bcf98397356e37c1404f6d976a162f7c3d1c0c8a23c8fc313da682bb

Download Submit
C:\Users\Admin\Documents\RIP

Filesize
872B

MD5
5e2814720ce102278ed51aebb3bfd4f0

SHA1
6a4bec95c1fd584e7dff65eb08db1b3ae0bec91b

SHA256
ab94a70a14302e20b228eefb5dc7a23e1e8338c60f11bfeb6210eae5595a03bd

SHA512
399017d594cf602f4716a27a29dc36dd2be878b38b0b9fa9674b6560764a92fbfdd5cb2fa81fc07c0bce9411a9a6e86ea364e1ac4bc4779994e05635c90aac1c

Download Submit
C:\Users\Admin\Downloads\Ransomware-Builder-main.zip

Filesize
175KB

MD5
e90ec1adee59fe4b39e78976adc02461

SHA1
7fa247db978f829a92090bb79b7cea4227878421

SHA256
22c91b738303c0f8b5dafe6b16b0d7d4f5d9a6170ba666124d88fc7d46092879

SHA512
468d3544452086e5b0425aaa59e9d95ad17e420d2263ee7e4d6fd16bddb70e9261ad75eb396fb63f333ccedaceaf5aa9dd803c38c38be05e7509ec24f9e89277

Download Submit
C:\Users\Admin\Downloads\Ransomware-Builder-main.zip

Filesize
131KB

MD5
2f859950b215f4eee1e00bbe39207212

SHA1
31593e690a1e02c5a19f24d65b2ab0022c136a0e

SHA256
4b19ad3ef396d68d4ad5457be25ca636d22e1bd848d3e4a5211b71da58f016b6

SHA512
4948afdce16b45abed05df9d093ce7286637beedf7fd5d1f1915638914ad1437321128b125653849c27161d1994acaa8a648207a326af922f7a4d59740d94d48

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini.7lmo

Filesize
392B

MD5
ead774c588aaca4eb4f81812891360b4

SHA1
75e2a7e046685fabdc8b72faf608f684b072baa2

SHA256
8573b10cf108b520b28661c38450ae077cc4ee3ad614424059e941ed224ee005

SHA512
e12cd5314bc4f06cba1d74eb5bbb72a328aa2b88f9e0df999bb9bae9d0c9e15b1639db1b1b9d0083bcf149e4726c8d7b476f633d7c0d4b086e70f12b5a9c3c44

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a125wnd1\a125wnd1.0.cs

Filesize
34KB

MD5
37e8ea9f830597ef6b4c56206f979b7b

SHA1
69efc1afd672daa4c15ce6b8e90b4dad2795926f

SHA256
9eee66449faa9264e81852b88ae5880de5966971df3c81f28d47230812004306

SHA512
ea5ee9bdb95e9919bdfc7e8fdb2dba42c0c509dfa210b71fdb1ebd60ebaed67b93e58e4c52ae34cd8415c966a24c5da46e0fcfec7fb319cbfe4e1bb6cc1cfebd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a125wnd1\a125wnd1.cmdline

Filesize
342B

MD5
b2a8c4968b2a87b7004f0210a781b232

SHA1
05ab47a6750a0d47f93f29d40af56c277f76bf78

SHA256
1c9c377404a694ba659f13ebf2ef1ea6364b1d977bec23eb5b1a3fd34a86a67f

SHA512
6eb65035f8e01b016f8fc444684a1a013fd71716605eee637753560b85f091a284772103626ff8544c2b7ed1d10b0005c658ef0e1ca4dedf0594735f73bca9f8

Download Submit
\??\c:\Users\Admin\Desktop\CSC12080E0D67384C72846DAA9A3C8A294B.TMP

Filesize
1KB

MD5
5101893c65306bd72d5cbd03d5678399

SHA1
d14a930a7f3e82f7b27979eb16daa54c55fc3c37

SHA256
35bd5918f7c75d1742b0bf337bbc5c667f6c2fc68497ca0245ac46fde171d9ef

SHA512
664949398b789b0c8d7394b75d14f488b54752f3b8abd25e2f8314f8c26e667eee934cec399227b8e675d21b215881196d1151242ba52b5499fc57086686cecb

Download Submit
memory/2380-2547-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2380-2553-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2380-2558-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2380-2559-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2380-2548-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2380-2549-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2380-2554-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2380-2556-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2380-2555-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2380-2557-0x0000014755620000-0x0000014755621000-memory.dmp

Filesize
4KB

Download
memory/2780-2059-0x00007FFC76B80000-0x00007FFC77641000-memory.dmp

Filesize
10.8MB

Download
memory/2780-2069-0x00007FFC76B80000-0x00007FFC77641000-memory.dmp

Filesize
10.8MB

Download
memory/3836-1049-0x00007FFC76980000-0x00007FFC77441000-memory.dmp

Filesize
10.8MB

Download
memory/3836-1048-0x0000000000D20000-0x0000000000D2E000-memory.dmp

Filesize
56KB

Download
memory/3836-1101-0x00007FFC76980000-0x00007FFC77441000-memory.dmp

Filesize
10.8MB

Download
memory/4460-1017-0x00007FFC76B80000-0x00007FFC77641000-memory.dmp

Filesize
10.8MB

Download
memory/4460-1019-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/4460-1023-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/4460-1018-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/4460-1022-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/4460-1045-0x00007FFC76B80000-0x00007FFC77641000-memory.dmp

Filesize
10.8MB

Download
memory/4460-1021-0x00007FFC76B80000-0x00007FFC77641000-memory.dmp

Filesize
10.8MB

Download
memory/4460-1020-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/4460-1016-0x0000000000AE0000-0x0000000000B6E000-memory.dmp

Filesize
568KB

Download
memory/4560-1100-0x00007FFC76980000-0x00007FFC77441000-memory.dmp

Filesize
10.8MB

Download
memory/4560-1577-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

Filesize
64KB

Download
memory/4560-2054-0x00007FFC76980000-0x00007FFC77441000-memory.dmp

Filesize
10.8MB

Download
memory/4560-1576-0x00007FFC76980000-0x00007FFC77441000-memory.dmp

Filesize
10.8MB

Download
memory/4560-1103-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

Filesize
64KB

Download
memory/5216-2545-0x00007FFC76B80000-0x00007FFC77641000-memory.dmp

Filesize
10.8MB

Download
memory/5216-2546-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/5216-2070-0x00007FFC76B80000-0x00007FFC77641000-memory.dmp

Filesize
10.8MB

Download
memory/5216-2072-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/5892-1085-0x0000017215430000-0x0000017215431000-memory.dmp

Filesize
4KB

Download
memory/5892-1086-0x0000017215540000-0x0000017215541000-memory.dmp

Filesize
4KB

Download
memory/5892-1084-0x0000017215430000-0x0000017215431000-memory.dmp

Filesize
4KB

Download
memory/5892-1082-0x0000017215400000-0x0000017215401000-memory.dmp

Filesize
4KB

Download
memory/5892-1066-0x000001720D090000-0x000001720D0A0000-memory.dmp

Filesize
64KB

Download
memory/5892-1050-0x000001720CF90000-0x000001720CFA0000-memory.dmp

Filesize
64KB

Download
memory/5912-2056-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/5912-2055-0x00007FFC76980000-0x00007FFC77441000-memory.dmp

Filesize
10.8MB

Download
memory/5912-2058-0x00007FFC76980000-0x00007FFC77441000-memory.dmp

Filesize
10.8MB

Download
memory/5912-1582-0x0000000000E00000-0x0000000000E3C000-memory.dmp

Filesize
240KB

Download
memory/5912-1584-0x00007FFC76980000-0x00007FFC77441000-memory.dmp

Filesize
10.8MB

Download
memory/5912-1586-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download