chaos | a78d6caa0a4b98ca054410bc97416093e9ed3746215f621d67c1b6da93c58427

Analysis

max time kernel
567s
max time network
567s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

freddo.exe
Size

14.3MB
MD5

54624a787c53efc6b2b2f0adb02303c3
SHA1

f9ac2cb0fab7d6024a5e9e078edede8e1bb8848c
SHA256

a78d6caa0a4b98ca054410bc97416093e9ed3746215f621d67c1b6da93c58427
SHA512

987e73b269889c2668bb626edbef4dfeb589b36361b58f8f983a08bcd2120656fd1b85b33f92fb6ae86878b2c7d60eef945d1c0ca274f7740ce56f5e77882ed6
SSDEEP

393216:YHFuDKw9va/tx9L+zn7DJTa1TsUS4uPVJGbahsWPJ2i:YHFuDKw9vUtvQn7DJT0sU7u9c5EJ2i

Score

10^/10

chaos evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\FREDDO.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 5 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023280-44.dat	family_chaos
behavioral1/memory/5952-52-0x0000000000BF0000-0x0000000000C7E000-memory.dmp	family_chaos
behavioral1/files/0x0006000000000500-73.dat	family_chaos
behavioral1/files/0x000e000000009f84-84.dat	family_chaos
behavioral1/memory/4108-86-0x00000000002D0000-0x00000000002EC000-memory.dmp	family_chaos

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5524	bcdedit.exe
2296	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2916	wbadmin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	freddo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	freddoisalive.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	freddoisalive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FREDDO.txt	freddoisalive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freddoisalive.url	freddoisalive.exe

Executes dropped EXE 5 IoCs

pid	Process
5412	Chaos Ransomware Builder v4 Cleaned.exe
5684	Chaos Ransomware Builder v4 Cleaned.exe
5952	Chaos Ransomware Builderv4.exe
4108	freddo.exe
6000	freddoisalive.exe

Loads dropped DLL 6 IoCs

pid	Process
4896	freddo.exe
4896	freddo.exe
4896	freddo.exe
4896	freddo.exe
4896	freddo.exe
4896	freddo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	freddoisalive.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	freddoisalive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	freddoisalive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
171	raw.githubusercontent.com
172	raw.githubusercontent.com
173	raw.githubusercontent.com
174	raw.githubusercontent.com
166	raw.githubusercontent.com
167	raw.githubusercontent.com
168	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\k6iaah54s.jpg"	freddoisalive.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Chaos Ransomware Builder v4 Cleaned\Chaos Ransomware Builder v4 Cleaned.exe	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4028	vssadmin.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Chaos Ransomware Builderv4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	freddoisalive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Chaos Ransomware Builderv4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Chaos Ransomware Builderv4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Chaos Ransomware Builderv4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Pictures"	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Chaos Ransomware Builderv4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{3CFCBAE8-A2AA-4A58-88E0-70001DD00C3A}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Chaos Ransomware Builderv4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Chaos Ransomware Builderv4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 06000000020000000000000001000000050000000400000003000000ffffffff	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 02000000000000000100000006000000050000000400000003000000ffffffff	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 02000000060000000000000001000000050000000400000003000000ffffffff	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builderv4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000020000000100000006000000050000000400000003000000ffffffff	Chaos Ransomware Builderv4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Chaos Ransomware Builderv4.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Chaos Ransomware Builderv4.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3216	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6000	freddoisalive.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
5272	7zFM.exe
5272	7zFM.exe
5272	7zFM.exe
5272	7zFM.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
4108	freddo.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe
6000	freddoisalive.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4896	freddo.exe
5272	7zFM.exe
5952	Chaos Ransomware Builderv4.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: 33	4256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4256	AUDIODG.EXE
Token: SeRestorePrivilege	5272	7zFM.exe
Token: 35	5272	7zFM.exe
Token: SeSecurityPrivilege	5272	7zFM.exe
Token: SeSecurityPrivilege	5272	7zFM.exe
Token: SeSecurityPrivilege	5272	7zFM.exe
Token: SeSecurityPrivilege	5272	7zFM.exe
Token: SeDebugPrivilege	4108	freddo.exe
Token: SeDebugPrivilege	6000	freddoisalive.exe
Token: SeBackupPrivilege	3320	vssvc.exe
Token: SeRestorePrivilege	3320	vssvc.exe
Token: SeAuditPrivilege	3320	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe
Token: 36	1876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe
Token: 36	1876	WMIC.exe
Token: SeBackupPrivilege	5692	wbengine.exe
Token: SeRestorePrivilege	5692	wbengine.exe
Token: SeSecurityPrivilege	5692	wbengine.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
5272	7zFM.exe
5272	7zFM.exe
5272	7zFM.exe
5272	7zFM.exe
5272	7zFM.exe
5272	7zFM.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4896	freddo.exe
5412	Chaos Ransomware Builder v4 Cleaned.exe
5412	Chaos Ransomware Builder v4 Cleaned.exe
5684	Chaos Ransomware Builder v4 Cleaned.exe
5684	Chaos Ransomware Builder v4 Cleaned.exe
4336	msedge.exe
5952	Chaos Ransomware Builderv4.exe
5952	Chaos Ransomware Builderv4.exe
5952	Chaos Ransomware Builderv4.exe
5952	Chaos Ransomware Builderv4.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 5272 wrote to memory of 5412	5272	7zFM.exe	133
PID 5272 wrote to memory of 5412	5272	7zFM.exe	133
PID 5272 wrote to memory of 5412	5272	7zFM.exe	133
PID 5272 wrote to memory of 5684	5272	7zFM.exe	136
PID 5272 wrote to memory of 5684	5272	7zFM.exe	136
PID 5272 wrote to memory of 5684	5272	7zFM.exe	136
PID 5272 wrote to memory of 5952	5272	7zFM.exe	138
PID 5272 wrote to memory of 5952	5272	7zFM.exe	138
PID 5952 wrote to memory of 5416	5952	Chaos Ransomware Builderv4.exe	158
PID 5952 wrote to memory of 5416	5952	Chaos Ransomware Builderv4.exe	158
PID 5416 wrote to memory of 6080	5416	csc.exe	160
PID 5416 wrote to memory of 6080	5416	csc.exe	160
PID 4108 wrote to memory of 6000	4108	freddo.exe	167
PID 4108 wrote to memory of 6000	4108	freddo.exe	167
PID 6000 wrote to memory of 4124	6000	freddoisalive.exe	169
PID 6000 wrote to memory of 4124	6000	freddoisalive.exe	169
PID 4124 wrote to memory of 4028	4124	cmd.exe	171
PID 4124 wrote to memory of 4028	4124	cmd.exe	171
PID 4124 wrote to memory of 1876	4124	cmd.exe	174
PID 4124 wrote to memory of 1876	4124	cmd.exe	174
PID 6000 wrote to memory of 4644	6000	freddoisalive.exe	176
PID 6000 wrote to memory of 4644	6000	freddoisalive.exe	176
PID 4644 wrote to memory of 5524	4644	cmd.exe	178
PID 4644 wrote to memory of 5524	4644	cmd.exe	178
PID 4644 wrote to memory of 2296	4644	cmd.exe	179
PID 4644 wrote to memory of 2296	4644	cmd.exe	179
PID 6000 wrote to memory of 2324	6000	freddoisalive.exe	180
PID 6000 wrote to memory of 2324	6000	freddoisalive.exe	180
PID 2324 wrote to memory of 2916	2324	cmd.exe	182
PID 2324 wrote to memory of 2916	2324	cmd.exe	182
PID 6000 wrote to memory of 3216	6000	freddoisalive.exe	186
PID 6000 wrote to memory of 3216	6000	freddoisalive.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\freddo.exe
"C:\Users\Admin\AppData\Local\Temp\freddo.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4144 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3636 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5380 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5508 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3940 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5852 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=4144 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6088 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=4460 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6408 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6460 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=5488 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=4788 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=3932 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4040 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7072 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7076 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=4104 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=6412 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=6036 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=6016 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=7200 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7336 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=7368 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7896 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
- Drops file in Program Files directory
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5352 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:5192

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Chaos_Ransomware_Builder_v4_Cleaned.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5272
- C:\Users\Admin\AppData\Local\Temp\7zO8941FEE9\Chaos Ransomware Builder v4 Cleaned.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8941FEE9\Chaos Ransomware Builder v4 Cleaned.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5412
- C:\Users\Admin\AppData\Local\Temp\7zO8944E34A\Chaos Ransomware Builder v4 Cleaned.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8944E34A\Chaos Ransomware Builder v4 Cleaned.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5684
- C:\Users\Admin\AppData\Local\Temp\7zO89480E0A\Chaos Ransomware Builderv4.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO89480E0A\Chaos Ransomware Builderv4.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5952
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ho222szk\ho222szk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5416
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF6F.tmp" "c:\Users\Admin\3D Objects\CSCAF57768ED315433A81C63071C35848F5.TMP"
      4⤵
      PID:6080

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\17a74af36f984ba4abbd5fc876d82818 /t 5416 /p 5412
1⤵
PID:5568

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\a7a6111757f64c698762030a4baa1db5 /t 5688 /p 5684
1⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=6844 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=7224 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=7664 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=7300 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=5408 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=7584 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7808 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=4792 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
1⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8416 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:2468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4416

C:\Users\Admin\3D Objects\freddo.exe
"C:\Users\Admin\3D Objects\freddo.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Roaming\freddoisalive.exe
  "C:\Users\Admin\AppData\Roaming\freddoisalive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:6000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1876
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5524
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2296
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2916
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\FREDDO.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:6076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\freddo.exe

Filesize
90KB

MD5
e6f35fd2416c7c1b184bbea56f6a8822

SHA1
5bcb2e5a4c12284413b371258444b9c67a31c3f8

SHA256
a568351bceeb16a4f177e568e559b4707f66549130e7e3b0b8873fa746cf43ff

SHA512
03a714c0b060f3aca71c531b95f36a74b7de500cce13c9445c74c3744287edd8b2a6f4d1a0fd4d3b3735323149786723cf18df644e129ca73b0aca4d198e2afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8941FEE9\Chaos Ransomware Builder v4 Cleaned.exe

Filesize
345KB

MD5
30caa962e1ee863f2fcbed2b8e38f207

SHA1
3ea3d0fdbdf6339756983152df6e3a28d5873a11

SHA256
c5004c691b576c3f3899d628176ade9d8c87b7bf6d44d96945b4d1df1254a132

SHA512
61ce53a94d0a4695368d33f9e3a1435800b9fd828e7e0c14144a0e45ac3ae7c4b4c04ecf9c5a5b794c2049759dc34df6e23ac39741c98bbd8cf18bda9d1c2a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO89480E0A\Chaos Ransomware Builderv4.exe

Filesize
548KB

MD5
9a44537dfcf8ceac515c4aa92f30f4af

SHA1
9a26c3ff3251f69950ce09e3692ce14b5dd536b1

SHA256
3246be7f25f8f4cd9ade8f0a8faf12847df126eecf65d7e8012f35ab45e73a40

SHA512
94da6f1aaae6c25e47e31ac246a8703ec8f7b2893a44ae10f7600cc79ba673bca60d7fb41b2ebac8a4b5497ab98a0a195a32d93f4fc140ba7c9cd25811943500

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF6F.tmp

Filesize
1KB

MD5
93b04e04ff89d3059a90dcabd212e2ab

SHA1
3ba88c5682bf129cf1fc4a281323f8b7e722c7d3

SHA256
94fb210a157a9e8781aca9919b6516c7089b64cd11194a572f2b3e616150ee84

SHA512
2feebd8c707e96aa3fe3a2a2d62347ff111254b7feea67f3185a624307eade74e8615d05e89f03dff7bf131da6683717bc16502c98808bac0eba5066241a004a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\kcini.mfx

Filesize
28KB

MD5
e8d589ec9987e568726f882c8792c06b

SHA1
3ddaab03befb496629f4208ebd0e01c63e69a857

SHA256
499d3e1b9720ea6cc10f8b56378bdfce2622008f45243a0fc273446662ca0cfa

SHA512
89d658f1380938b78fbb9475ac0a942414360704df6e739a96a26c2ea15268fcb0ad11b28b614bab2fe3aaa3d4c14dc8a79ea2dbe11e9e0a327199c76178d4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\mmf2d3d9.dll

Filesize
1.1MB

MD5
ba4baf4220ede3a3bd32123e9c0fd952

SHA1
e1186c6746d67e42fc57f72a6ed07e600755305e

SHA256
a38d94169881d68a20c5031895492fa2bae58e70332b2f08fca79e62f4359edd

SHA512
55827a02e2617bc94b9990ff348d893eda39fdc6251abe506e0ac1f656ac2cd9bdae8197de437b277c434482e8a1c6782f7ab5b8993d1aa0b779d21b6349dece

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\mmfs2.dll

Filesize
460KB

MD5
4758d460ecbb307ed90d59643046f00b

SHA1
2bd87c39f97b73b9db6d205bb10ae37eb82f2372

SHA256
3293a93c6d8a2ce529538fbdd2a81dc623fc40464efdb5348c8e039788ad1b22

SHA512
970a44102539ed3116c125bfcf9075e3acb8f710a338ff8ba881bbebf5111d236b3c27bf325a77d83d295aba8e836439fb6fd54a899e3ef075e1e45b6e2a1fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\mp3flt.sft

Filesize
24KB

MD5
f0ebc8596156d8ebf6201a10f9864305

SHA1
0efd689d027d2d592369c3585cdd9a0b879e6562

SHA256
fcca0e08e8a64081d71f3ad7455cb5bea48e73f158f0773e856fa100914fe192

SHA512
7752fb5d3d114791c7940088b98c03252d6fb151ad11774a8fd8b4fdf2d289c66b5d54a56feddda2e2e4de125f7f6b75c1197eae276add1774e3290becd8bcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt364D.tmp\oggflt.sft

Filesize
130KB

MD5
3c63ea4611008fbcf86435559e9dffab

SHA1
fdc9c6302fcc427530b2dbff63aad1b6d204125a

SHA256
9efb0b4cff5bb033cf1e04bdeabc581db7d787399c5238f4fb40a1e820aac6b8

SHA512
938c6ebbd0a7248f32bc83d2548791b35764417a74728b8b861d2bd539c182ced6f5168a604679e20c150dc6741fd6868768e7d1ffce224667546d3ea80787d3

Download Submit
C:\Users\Admin\AppData\Roaming\sdf.txt

Filesize
33KB

MD5
ce460a60f31539005b67109403a867dd

SHA1
924b3f0eddd4131e577e073a2942131193cb2520

SHA256
8fe509807fca1ceeae5c624fd81951aaae0d617a00651f5eb45a55f79394182c

SHA512
3003ecc2c3feafda47288aef4fc9d30c19b17395fd98c1f02ada1f46b065b1518ee0d0e06f745e00d60563df102fae752c28c08369d61e2e3118bca2e1827adf

Download Submit
C:\Users\Admin\Documents\FREDDO.txt

Filesize
964B

MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
\??\c:\Users\Admin\3D Objects\CSCAF57768ED315433A81C63071C35848F5.TMP

Filesize
1KB

MD5
b4b8e8a8d97be07e18f495d1ca441898

SHA1
115ea79252dedcf36b3ebfca4272400e603780b4

SHA256
e33a6dd420e36079a151715da5eebb97389299889a20a7a5133897c33af75d15

SHA512
a113fa01d3ea93141714895f84ff42eb58383a818d46c933cc5a806dd91725a46145529ddc578e00457d40cc8bf63cf10c18a17dfee07f0595a733deb611e870

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ho222szk\ho222szk.0.cs

Filesize
64KB

MD5
67f8b1f2ebf501ecd630a3c45caa9ae4

SHA1
d75dbe5bd35e1610986f6300cb69fc073bf1676b

SHA256
7ca0ffb7be7c98d38b3b4e740ad93165090867df543bb0b344d10d0474180ec1

SHA512
14f54966f5c419c0c6f1c47320827487f570f626253647ac9bf602c1aa3a9ab3e2215a6fd5e99bf01b72c49f509c408dcca364fbe6debbfca5d370c04a140f25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ho222szk\ho222szk.cmdline

Filesize
335B

MD5
902c1634dfa605fad3a5afd726ff6282

SHA1
bbf26c9c5a7069441d2f508885af586e8cc76b68

SHA256
d1ba3ec60d0f833061d91867df2ae7194be8f8b922b37ea389d8d18ff8fea553

SHA512
b685a488849bd9ff7291b7f6ebb0e14a0bc6c241bbb45199f845084db8f0b4783e62b88494fd68aa9b04b98f9272fa1130fae46e75877e3f8609cc6480a160bc

Download Submit
memory/4108-101-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmp

Filesize
10.8MB

Download
memory/4108-87-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmp

Filesize
10.8MB

Download
memory/4108-86-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/4896-20-0x0000000002F20000-0x0000000002F44000-memory.dmp

Filesize
144KB

Download
memory/5952-52-0x0000000000BF0000-0x0000000000C7E000-memory.dmp

Filesize
568KB

Download
memory/5952-56-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/5952-61-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/5952-60-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/5952-59-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/5952-58-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmp

Filesize
10.8MB

Download
memory/5952-57-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/5952-62-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/5952-55-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/5952-53-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmp

Filesize
10.8MB

Download
memory/5952-54-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/6000-104-0x000000001B540000-0x000000001B550000-memory.dmp

Filesize
64KB

Download
memory/6000-102-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmp

Filesize
10.8MB

Download
memory/6000-573-0x00007FFAE1170000-0x00007FFAE1C31000-memory.dmp

Filesize
10.8MB

Download