chaos | hxxps://github[.]com/Hacker2425/Ransomware-Builder

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Hacker2425/Ransomware-Builder

Score

10^/10

chaos discovery ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 5 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023576-217.dat	family_chaos
behavioral1/memory/1040-250-0x0000000000AA0000-0x0000000000B2E000-memory.dmp	family_chaos
behavioral1/files/0x00080000000235a2-345.dat	family_chaos
behavioral1/files/0x00090000000235a9-362.dat	family_chaos
behavioral1/memory/5132-364-0x0000000000900000-0x000000000090C000-memory.dmp	family_chaos

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1040	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
5132	dayum.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
61	raw.githubusercontent.com
62	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 56 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Chaos Ransomware Builder v4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Chaos Ransomware Builder v4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Chaos Ransomware Builder v4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Chaos Ransomware Builder v4.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Chaos Ransomware Builder v4.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 347964.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 33970.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4556	msedge.exe
4556	msedge.exe
1520	msedge.exe
1520	msedge.exe
1256	identity_helper.exe
1256	identity_helper.exe
2140	msedge.exe
2140	msedge.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
1040	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
2348	msedge.exe
5132	dayum.exe
5132	dayum.exe
5132	dayum.exe
5132	dayum.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	Chaos Ransomware Builder v4.exe
Token: SeDebugPrivilege	4184	Chaos Ransomware Builder v4.exe
Token: SeDebugPrivilege	5132	dayum.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe
4184	Chaos Ransomware Builder v4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 3216	1520	msedge.exe	84
PID 1520 wrote to memory of 3216	1520	msedge.exe	84
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 2872	1520	msedge.exe	85
PID 1520 wrote to memory of 4556	1520	msedge.exe	86
PID 1520 wrote to memory of 4556	1520	msedge.exe	86
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87
PID 1520 wrote to memory of 3992	1520	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Hacker2425/Ransomware-Builder
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8231546f8,0x7ff823154708,0x7ff823154718
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe
  "C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe
  "C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4184
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ibbu1fui\ibbu1fui.cmdline"
    3⤵
    PID:452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B4A.tmp" "c:\Users\Admin\Downloads\CSC8501C0EED1DF4A06A891A05A88A984.TMP"
      4⤵
      PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,18386403330993630966,13046734513738977211,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4784 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5124

C:\Users\Admin\Downloads\dayum.exe
"C:\Users\Admin\Downloads\dayum.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4829218222c8bedb9ffe89dffd37095

SHA1
aae577f33f413ec3d09f2e7ff5d9cc20a602241c

SHA256
49239b229a2519583ba5d6de3702480b8a8ebf3cfaa8945100dbab25fcb02b7b

SHA512
03e26a2e3de41b8a829b5543da504c7d7ccdc4c112d629efcac24dcda23acb50a52b5b99572b5efb2a01cf392a457cf9fac85663b3d63f7606be00dba218f8f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
15e9c4b4eefb3e1c08a010e748e10f58

SHA1
3172378f2c7a00553ce086dbf53fcf3126c5a724

SHA256
07b56a769467e8b57f9b7acd9d32da266ca5000803758c18bb6818ac236c7000

SHA512
811058b539e914a812c88543bb6657de736f691d18d6dadb5e1f6ced286780fb334dc5f575babbcf4fd2dceda30d1bf4004b374c5775e7f278346b100b29eb7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6dff4075fcb19c4f237fcfd65eaef39f

SHA1
c3bee80483ae299bf75a7ddf3e527e6ecc370c85

SHA256
1ff007f47cb14428c38b50d33ffb0ecd40875f4261fcd59e41a6e2b17e49c0a6

SHA512
1a2e8ae62f920e363da9a2c09097fc513813effc5365ccb3f97b28b9b8618823b298a75741270bedd8634d849ad60dfe49947c1bc34d2af37dee7c8cab9eeda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ed9f8682b26ef28eb7fdafeab1e1350

SHA1
bca36fd4259735995e7aaec6bb879624a593ef35

SHA256
05112bbfd38b5c9aefbbfac0c3c5aae95aae63d9c98760cb9f02a17f5cea0dce

SHA512
fc380718c56bb3722fa3adbcbc1cb0c5af5dc17095643d2d477f39cef37219dc3309f63dba472530ce6c9d89f3e2bd7d304fdce83f2ddbd25a78007652b25888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
50bf6be79c4802911f31889d387c90dc

SHA1
db9fd926eefa086216dbbb761759ff8e21485809

SHA256
4da798c9e811dc07a463b4959b467a1f927ffb64f542f5f3f7b07a85186bc89b

SHA512
b79d86493df826b79b2b774ac37f14d908a39e3e95c1421a7cf548bee4dfa80ce00a2c5800de931c0032ef3767b6052f3902cb1b93be7dcdfe0d2a344ff32d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f95ef6c65378f03975e7bcabf8a31040

SHA1
d0517b4a1cde53cdcac4ea5f5997827fb5b02521

SHA256
32a80b9b6e2eecd7656c92d4865d675ea633ce4f7090e614c5d3c9ba804c5d53

SHA512
cd4e945cccf6d7b0aea1297f263ca91f1f4ca4a693f633534cd4f6505a56987d562d0e63942795966f21a75e958dc20804d733da47787a3a8c6187c165128396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7915ba0545666aa5833cf9f9f86d45d6

SHA1
743ecc319bc2a54973582d4a5198042a48fbe8db

SHA256
f8fcc045da13bde0f5dec3ada86342105cbff34ebc2442bcf51e8ed509a95b20

SHA512
a53036251a22cdc95579ea8641c5574f1dc1f7dfd0390f00ebeafbbea0c1a2c0c3e6dba23bbbb8d8e2c77a3e1e816ccfaf84a97da1c334019c8df1414999d1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7729343a317af70eca57675d3206d5fd

SHA1
01c886b90163ed8987fa09bb32bb3e7e88dabf8a

SHA256
f09a8ea9ad236982866649fe2ba994c7512a3b40c16f46d45fa1a54f1be8bcc4

SHA512
b34a14c69a59bb67a1fff72729e9ffe2a8e8416640f58fb02356490b4f4832b43b028a9021ad442787b61104d5e801603aab3d0bd14338dfc259249217d3ba57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586aea.TMP

Filesize
1KB

MD5
b43cc0cba2bdcbba8384883f52555714

SHA1
1be07470bc61a00396bee3c461184242f4350529

SHA256
a648569bff3166d5f2f6e34d88b99fc0a2ad34e53c79de44825ca9ba4ae4b3a4

SHA512
552f60a566e9b050e24aefef6d290721d49ed668cde12d3c0bdc2c3af6ca175a70ae6cb8c29206711ffe120b6b5edf3b47dec12d0d192c4747bc868fb9d19ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
48d08d477bbd0847506ae88146707ff2

SHA1
909bf0eb03d94253df9ffb81cd0fb87c59a28151

SHA256
49c4bab1d696a5de49ddff5c71e7e3eb169e40e50cf6cf85b819ebdead9329c7

SHA512
36c0998f49ef412b79578b0689fab3c940bd8bbc87e75ea80d132c4b17798a8e0a82770c8d1c88dcb1d180702ef3882b3aaece9af2c7b73b09b957550e4804a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a028b92fdb14978f223525859b3af58d

SHA1
6905556eec1b6fce5b2b1d662d4e6b410ed9769e

SHA256
c826308a2e7c4ef0dde0d6f4652533adb8f3af8b7717cba00210b0d7d9b7cb31

SHA512
d0d63e076a4d4cbcbdef18f2ec486c7cc0b1a6e72bac3176d305ed3e67e36c8f0c328218edfe15ee849ebf3c6ac590b8872e4466d3a04f974f60a198e56f0f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1B4A.tmp

Filesize
1KB

MD5
edb1e95420ec227ac4b9abdbe5265d3b

SHA1
9486d0e6c073abd97dd223f7f00dc85d174147ab

SHA256
33ea63fc9ee84872a329bbbf27e27470a16f764a40e951c2ac00bd82c28bf831

SHA512
f9bc6192c4cce1331f3915b74eb200e06ad14505f476367205b0c5974060d5447cf4a8cd1f3b3c3786d309291a5b4ee8d4811fb3c3c1ae5300fd33a94bfe959a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 33970.crdownload

Filesize
550KB

MD5
8b855e56e41a6e10d28522a20c1e0341

SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01

SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

Download Submit
C:\Users\Admin\Downloads\dayum.exe

Filesize
23KB

MD5
bb03c0295424f55a4ff16511b0143ce4

SHA1
33f1ac3bbecbd575850b43c2398c4aef4becd522

SHA256
344579676fb8ee0e985c3e62ab93e923a0c84be6a80ade997bafb89d0942cf4a

SHA512
e91c8b65abbb7186b8fd1208fa9b36afabe7c2b94257f3b671af8370169ac69e82b9dbe7ffc632a69e4f0d2cdba7d1b3ad3d6f03935ca31c6c7f40ad1bd0741d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ibbu1fui\ibbu1fui.0.cs

Filesize
31KB

MD5
fb695d540f75331ec63c074f61d0d203

SHA1
5a534f306a3b0dd27628e49f44f29f916a603424

SHA256
d3409ecfba25d0185ff090a09a1d95c23f4f36bb22eb6508da1e9da3b39d7afd

SHA512
99b44fe1a6aff69a818c704cda4da740941ed4b844b847d1c238cc8dcf4157cfceedb2a1817d0233115f32088f1f403518cde9858ba5440691edf42cb309aa1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ibbu1fui\ibbu1fui.cmdline

Filesize
333B

MD5
12cda8ccef90d9c9c57ebd9c7cf1a193

SHA1
edfb5017044f0b8f9a41e9a601015178195b8809

SHA256
89cf49ab09be4618abc0eecce89a1789014d4ec3e4ca7017b29b0692d7f6fcc6

SHA512
8b7dd1964deca350a38c60988a4fc72e036d9a64c1b18ec2d655f2dcb76fae57c35408dd5ad2259bf2571db9921329052f7389e09529d8620b07bd83aacd71d9

Download Submit
\??\c:\Users\Admin\Downloads\CSC8501C0EED1DF4A06A891A05A88A984.TMP

Filesize
1KB

MD5
f0088561f438a2a9628ca1c9c3e0a34a

SHA1
1eb95030a893ee635ed6fb20b9d71c03e36ec974

SHA256
b1dc6c1b3be36553e48e768f06982db8c53bc2063e3392f4bda2dc8d42836c85

SHA512
4a0381c10d87cd0ed2148c2c6b4b514c0e57bada5442774636a6628744b370fd59fbf5a58b9b0fabca3eac27168479d2a58ddf5fa06dd4c11ea5c2649703253a

Download Submit
memory/1040-250-0x0000000000AA0000-0x0000000000B2E000-memory.dmp

Filesize
568KB

Download
memory/5132-364-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download