Analysis Overview
SHA256
052215bee4c3ccb1c764edc26f6d28d78486868a68ac88844ac98296cf628ac9
Threat Level: Known bad
The file car.png was found to be: Known bad.
Malicious Activity Summary
Chaos
Chaos Ransomware
Downloads MZ/PE file
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Browser Information Discovery
Enumerates physical storage devices
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
NTFS ADS
Enumerates system info in registry
Modifies data under HKEY_USERS
Opens file in notepad (likely ransom note)
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-14 12:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-14 12:07
Reported
2024-09-14 12:14
Platform
win10v2004-20240910-de
Max time kernel
334s
Max time network
298s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\hehehehehehhehehehe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\hehehehehehhehehehe.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\hehehehehehhehehehe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\hehehehehehhehehehe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133707893163890137" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629364133-3182087385-364449604-1000\{4485E356-D6D2-4F47-A3AE-841C8AB2CF8F} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Nicht bestÃĪtigt 565082.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\car.png
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdc870cc40,0x7ffdc870cc4c,0x7ffdc870cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2028 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1584,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2096 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2520 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3192 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4580 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4868 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4968 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4048,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5496 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=240,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5484 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3184,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3224 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdc85c46f8,0x7ffdc85c4708,0x7ffdc85c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=audio --mojo-platform-channel-handle=5456 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=video_capture --mojo-platform-channel-handle=5464 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=5796 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6848 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=7032 /prefetch:8
C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe
"C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3696 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ajj5kcl1\ajj5kcl1.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BB9.tmp" "c:\Users\Admin\Downloads\CSCFDBC889C9FBB40809B996984B6627AAD.TMP"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\hehehehehehhehehehe.exe
"C:\Users\Admin\Downloads\hehehehehehhehehehe.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\read_it.txt
C:\Users\Admin\Downloads\hehehehehehhehehehe.exe
"C:\Users\Admin\Downloads\hehehehehehhehehehe.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 216.58.204.78:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 172.217.169.74:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| GB | 88.221.135.19:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 19.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 88.221.135.51:443 | th.bing.com | tcp |
| GB | 95.101.143.202:443 | r.bing.com | tcp |
| GB | 95.101.143.202:443 | r.bing.com | tcp |
| GB | 88.221.135.51:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 51.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.68:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 22.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 173.222.211.41:443 | aefd.nelreports.net | tcp |
| US | 8.8.8.8:53 | 41.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| GB | 173.222.211.41:443 | aefd.nelreports.net | udp |
| GB | 88.221.135.42:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 42.135.221.88.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 687cd9b6eb800b89e748680744615faf |
| SHA1 | 8f6262edfa1591059beabba2e788028313a1fa70 |
| SHA256 | e17e91cc6e237e20ea903039b0a8a0c1b530154295c7fe9e8f727825609e11be |
| SHA512 | 72ebe3ec003516263119e57c4706a748cfcd416d4a6b3dee1c11e530aad4de8da0b0160bfc1367815a0c47181167d0f9bdf11eb768033021fae70c839141f83d |
\??\pipe\crashpad_2840_HSOASBNLNDCAOCBW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3f4c3e8f1868966616eed5fd83c050f3 |
| SHA1 | ee8b4ea37e9efd89deb0a3ac540926773e783d80 |
| SHA256 | 3b89bb69a6f17b8c4de2b2d40a0a6cbf154f21dc9a6207d741962e9a57ad4fcd |
| SHA512 | 0754f49fa2ddb60f8a3a4965ad10055674617e47187cc39853a26fb0bfe6ef156cc590da3ab228df189aa2f29cbc00c4eb636a1797d95d0eb5d49857117047c8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 63bf64774d28319f996b7c2dcd3753d4 |
| SHA1 | c965b1c3556224147f9c5d1ecf9763371226493a |
| SHA256 | 22d61676572c97a5521407b1f4409529757798268319998afa739e0bfe4fa16a |
| SHA512 | 09aa736fc307cda72fc3b5f1d64b25627759c95e1bde645286036a1200c6ce1a22b313cfb1639d4313d40581630ecbda7d0de79a60dc6474717741cd171cf0b2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 3af1244a3e3e46b1d0939bbca0c6bd99 |
| SHA1 | 489a68c8178208dab0ae0d8f72af6a3ce2d6b8b5 |
| SHA256 | 047fa218a5f30989d991aa3a6d0221cdbca68dea4a96b1ba4460fb7beb331ed9 |
| SHA512 | 6962f038039e2e7524e2939e086d687e2e9bcaf20c203a612f264c7f9ee65e77980b041859d6f370a4cbcb8e3293eaebb1343e1a1b58d0666793a6b603ff3131 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 1d092e9f7be71d7332f47e37abd74a08 |
| SHA1 | 88e33a0af8d14ad28b25a40bd84e5e4a9d2e181f |
| SHA256 | d203fda8aca59f58dd36bc458ff2fe0851baabbebb992aa2605e6ca5bbd38b6e |
| SHA512 | 05207876a3b7fe32f841671bfec2f90658989a90ab753535a363a943c3215adf708e1013a7291dc1832f359036af965eee1988f178c54ff9fc15d90e00fdf82a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 629f7b5710c3f063d5b94dfd6d6b0235 |
| SHA1 | 120408842d55228dfd9e7d9b722d4c9413158df7 |
| SHA256 | e051210cc50d9cec8bfe79f02027352b54e32d1379b8dda53a3586e64f96ae54 |
| SHA512 | a580851a7960b3c8749a73b39e899cede40f45404088fa1aff5e38c57b62df198a7976504e044ad411e8136ee17d2174b51f773584e8dc3f180dc3f6bfcad5c8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
| MD5 | 08ec57068db9971e917b9046f90d0e49 |
| SHA1 | 28b80d73a861f88735d89e301fa98f2ae502e94b |
| SHA256 | 7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1 |
| SHA512 | b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | aeb37f31eae459c00592e872dddc4b4e |
| SHA1 | 2186a7ed4b50b61718438fd49f6d862e080cf65c |
| SHA256 | 3dd8d95a1a343557246c7795b8017b184a9a331ec07f9cd3ba6e711cb81eab6f |
| SHA512 | d3b5793fa6533a2498e1f1cfb7042fed6eb9bffc9dc49c1ca80d77caace255efdbd3c2651d188e41f0f1d5eca48005a818a6ecb4290edff9e19e7ad7f475da44 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bc7048392f8a61eed925b5ecae5eca1a |
| SHA1 | 1e521a0817e955e3f0060fe8c8a8fde24772957b |
| SHA256 | a0316c5a4590aa7af656fdcdb30167a662af4738cc76249e034379123b9beb47 |
| SHA512 | f1f9510546af65c94ddfe61271fba9058f69019ba66a9059181f50438817603c503b70938f3423b9fdfd40da19251b8f0df88213e50e9dedcf39f99a395e62e0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5ec370e4e3f29c0913372d3f435baa70 |
| SHA1 | 64cfe00b26a484437b8af4b702aabb96f948645d |
| SHA256 | d20f72afd7558a6637e35d9cbf2780205cf087c22a6b2d97a85ef9630ba3eaa1 |
| SHA512 | f1249de6da0270b4fe1ed3a871622fa18faef62107660b64a4a79cc1ac1910d1de4d15ee45cf7713b01b4d7a93ee8e350fa09f755dbd79087b56277e79a11bd6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2a5404673e2550998e5d23707ebf1d97 |
| SHA1 | a7e6e0ddbe5e142f37ba63808194b7904b13152c |
| SHA256 | 6f4de5382e012d399c2fea4e0c3f4077fa8ae467763a77e9c4263d2009adc363 |
| SHA512 | 125c82c707ff53f4b4605723bbef89b28c63ce19d49c8bb4be64e67c02bc7d75a807bb3a9fc0f58697d8840f166da8b70abb33eb3cb061a6f466c5c9482ddb2f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 66b5f1a020bf527258b3bb4767ac5c01 |
| SHA1 | 09b2ccd245fee4e28dc359cc383df6929017bc51 |
| SHA256 | 8b6814d0910c98688afd84332c58bb51b99777ca0f5a74f92fa5275df6b78813 |
| SHA512 | 1d382caf52d8a234726b37bf3ea1b2d4b86b3bf47d75de01d9e1bbe3d29f16927d2d5b3e49d82af83aaa52da27bfc58621375e12d6fb4e3e27ca4c61511002e5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 288011290caeca3f28c8b08eaddf0e90 |
| SHA1 | 850db49786cb8e608dd250cf867988a4ea1e85a5 |
| SHA256 | 6c4ca620de0b87aa730e3695ee7f3f300f647a7de7448d2ff9c1bafee40a75ab |
| SHA512 | f724228ac0265f0474f44880911819e29622dffcd1bdac363f5e56be36e5024ab2aa4d6df04948ff46af57595f144c5c39dee9bc44e1a2194643c01cc5d3797d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\29b77399-c1d6-4121-99fe-30378a517039.tmp
| MD5 | c406b0f2941c43010481704ed71b077e |
| SHA1 | 9722d5f8f4be07a6177ae8df7a273234d4981cdb |
| SHA256 | fc6d1e314b54854d2c5249b52a163b9365b57e2b533efdb5eb0cd4176acff9f1 |
| SHA512 | 08a009c83dc6bf5f240c916900a002a2be035e73d69b141f3278ab7287be5d5783de90f52b0611745f4d9392bce8ac29954dd3ed812aa85ae54b7bb4c19fd4f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | bd6f669d07b1a81a1579556958e41844 |
| SHA1 | 0ab50ad8dbb7425e6623ae11733c139d8b9e35f7 |
| SHA256 | 6148066c33ed6f85908844cc60bb5735d5664f15478d3cb931e78cc2b1bef62f |
| SHA512 | d109c4c0313338f7aaf0bb80db53c3ea64aed62ca8a5285c54b132ee2b7cc686dd9090e274dee3011c3a9cc3ac96c39dd81f7a012243b9dea8d98bcb673fcacd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b4b5eaf7edd9d5391ddfdb694e0cd888 |
| SHA1 | d1f92fbd238c4d5fb6861a83153893568d514586 |
| SHA256 | 1d5fc1e6da67b60df30ee83dd11359ec3dbe0c4bdddff2f2f862fa9c4619d903 |
| SHA512 | 1b62d5740572b1c17dadcb83d9e0017d6a8ff94cc64bc024cc47fa92a8180f7c2d18bef79ddf5cac8a9a97ecefd8461b06665e522acb0c5857dac1a2838fc048 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db1ed3bbcaa8e96c29a0b57e72bf0319 |
| SHA1 | 9bc11860837a2bcdd048613ba8dd76d6d77d32d9 |
| SHA256 | 7c7db5dde536599fd7ffd4dee8e03ca0f6680e662022869057b09a4635b9b87c |
| SHA512 | eb7375877e9b51ebcf8cfc62cf822fdce3fdce837fbbd00d4d54c52c4f67bd82408e4809e1c92f32e9f3edc9e6726910f752fbeaf14704745688b0239405e6c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 72c066a449369227303ffe190f364a1a |
| SHA1 | 0cec0cde7a7d4b02f898eb2d4ba7c264db341174 |
| SHA256 | 16df413636c898b16df78f5209d82d5292f33fb9087ec748055fc6d7b35de498 |
| SHA512 | 26a6b14874c28991de05e30dba13af667db4a8415dcd6d987098f445c4295aeb080cb5ab68df829b6b06790a8b67dc2d33ac3e9068d46aaa0140333a1fe7949f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 05e0333e16f5b14d83bfa3cdd67153ab |
| SHA1 | 6632f5684a758b6d1bb8df14e581ccb7fba31d96 |
| SHA256 | 189a27de7c6f63d5df5f4c96e76fd705db3f6c47e868b3882b113b3a9efb52ea |
| SHA512 | 4b82a3aef8151ea2571f26bcb710957ce40ede101a87049357982368d56b8182a61d36692bbfced7e455dfe4bf47ab6b56d7ae9f0b35c90f4997650615fea791 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | affbce5508b57f5421e89f9cbf0cc07a |
| SHA1 | 6a363987059507c31a649cb7423cf0dd43704d8d |
| SHA256 | fd613882e0234c61390cae9d29e7c070e9b082a6d023be8f0ca4ebbe6b1d89e8 |
| SHA512 | 73dc0d51506e8417a9ede6278d434af7db5c69e0282a97586528b764f3e61342501c5af39aa28c4d53064285e3d863d38507e3de74566633e1cbff03fa9a4ca7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 941ea4c983b3cf877ce6e1aab38f2794 |
| SHA1 | c4fcce581d0660a0c96d0579aedb528a8168233c |
| SHA256 | 3d4479f291d239eec609801437c1962e41e19c53a3eadd2f95342167fa7ad342 |
| SHA512 | f47836cc619ea50f24d3804a697bb562781e812a65285959d7dbce53db8945cbbab2f9b8290ba2bd9925f620858918ddc676c082cdadae8444a9751d642a381b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 54abdb95ca8ff6af1d24f8e75d8ba7c3 |
| SHA1 | 3dcb7b9a3fd388003599bcf71db1c175b13df31d |
| SHA256 | 22ac62ce78aa4da0388edf5fb76306614a0b1e3d772316a2fef9e2a837bf3399 |
| SHA512 | 16df7d51d085b7b98a93e339e954221cc354b5722caa6a24024cfcf61ad1caedce200e5379211dc3b1957afb9da85c45152382a2f187c2a002f86dec6c36c11e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 17448c526103b60c9f1968bcec44b650 |
| SHA1 | fd701b378ae5723fa489979a4b676b03a4aa3f88 |
| SHA256 | d209ff617a6177600405dd1bf10aabfd263ac6f7a4c3dad03fdf06fa61b45f7a |
| SHA512 | 00b7305b993b6a808b79842eb4a9d5269b004447806595735ec709fb4c1031e7c32765fea0f0dc036ff8616d2e53ab7fe0e86525cb589eb1734b96d7b5a24139 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59619e.TMP
| MD5 | 7bc18ac2cd9e3a68fbce83a6f676235d |
| SHA1 | a5b845c1fd79592c3e6930e9b9b8fde566eef374 |
| SHA256 | 7f3d8cd1817e93de824a10568d643e6dce13593994bdacf067f2b7c716a0b2f6 |
| SHA512 | 30d9ac7874e4d554281bede2b7d501f68308a3df50666756c366ef051df16d34bdc6ef31a71d9d9a9780eac12f4749c4a477ecc6fb3b87b29e77131b2e3b071c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 636eefb63b14333a6bb9d66474a5bb6d |
| SHA1 | ac7c92c63d871984347ba986ff4752677b30922e |
| SHA256 | a687b7cdd506f7b8fe85ea259837552ba3b73371c3038f30883e29c856fd7322 |
| SHA512 | 1f68b11638009eb7daba1776f47c3cd801eb519e83e2cbf9d61fae3062758192187b967300356143db79109ec00a22ef20245607fbcb40ff08006666ed4d87b3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 356a2235777d04c21301add5060edc0f |
| SHA1 | 9d9d678d9961f2c422e6a82273f6095cce901ecb |
| SHA256 | cf6046f2207064f4eaff6d4218905ced09492c32bee897cd6efd3de73bd106a9 |
| SHA512 | 87978c9ca0075ec7a30713566dd616831caa5486fb930ab37bb5e306e7308d77cffff0cd2b1868d0c844d455a611a3fe3be63926d879cc5123fbdbf8c8f34450 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8b86b8faac7fe378120fd30ff45bd41d |
| SHA1 | f12ee623d6bddd7a757c6b4179525b5524656ff0 |
| SHA256 | 23c877ce0c640784456fbef5b4b75830a536f96fb08751cdee44deb6b6028269 |
| SHA512 | 2c30f4f5c2cbe74c71fcfec3841fa55470b8c69a29d19a41f7fdd73e3087c412ac7f771f8df99993fc27aee00383ab54d3ade5f4034a37405e9f9d5d1ccd7d23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d8578526cdd6683099d7aef3a494c027 |
| SHA1 | b41ff6882b5cd733c805ec80444a1b6f14eca477 |
| SHA256 | 591a4045429b1e061e73748809cccebfb15cbfb5687e58a5f02b5878d2255504 |
| SHA512 | b2fb1f7870284bef756e59caefe1bcef686d90fcb23b624ff36a563e80bd975fb1e4a64473badcd84a14b370aa332456a3621a8b7639ff5913062eca98edf8cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 6e0c414bb7c6f92c72a64846e6c3f3e5 |
| SHA1 | c5d3d5a1bbfa4065b5a7048035dd8c9d9e06353f |
| SHA256 | c7826c2b11a13ab03913619fb534b6ccf90cb779126267152a1c2d1da71c109c |
| SHA512 | e7ff110fd3d8f263eb045ae4abdf4b413685c0addd46e6012ba2563098c674c82f3c3d70d352be8cc7ca7cf468b3fb14b18b1ab50280a7022529b325ba54d3ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bbcf5412d1c1ba2da94b8f4a7ba7fe89 |
| SHA1 | 6d688342076a17bb9dea00cd80e82a4880fedaca |
| SHA256 | f51aacf251b40e876bddccbca0769f37ef888eb9d642c8cc5fc8f56d24e3c903 |
| SHA512 | 3f41382a050e61abe5250b96dfa6eb9f03bf8c13e58c42e651393a9a41d15ca1d054346bf4678ca597de2d36aeca74cba14d5745cbf990948d023ddf1a62e11e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0956ee3fd209e42ea856beb9b8a3ae10 |
| SHA1 | f07cb79b06bc9aee6839cf46cafcd7a6cab1a3c4 |
| SHA256 | a7d3848c3ddc617b72e3bd6d91f0613a9fbe07ef94bb370a4f10a556a20b164d |
| SHA512 | fdefb7d4ba9049017fd148857c5248471e4934072231cae65a1dbb6da7658edad50009fa817b3fe6ed9b8fe188f5da2007e4fb3b4568f5490749cf5df21ec3ba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | faac79eccc15a5974d91cbc5e6d44e12 |
| SHA1 | c3b3aa7b6669d9c134c07b27f7e09c198cf909e4 |
| SHA256 | 8162406b38d62229b8ed9fd047844b0ca0eebc330d3714669965123f3740a403 |
| SHA512 | 48b00ac94412587ff4ac3921dfcb70fa7433218a97272c21f9d879c5d0f271b7104eda9a48aaf687c25ab471b37c229bf84213f706a337131581b3e30390d795 |
C:\Users\Admin\Downloads\Nicht bestÃĪtigt 565082.crdownload
| MD5 | 8b855e56e41a6e10d28522a20c1e0341 |
| SHA1 | 17ea75272cfe3749c6727388fd444d2c970f9d01 |
| SHA256 | f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77 |
| SHA512 | eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908 |
memory/3660-975-0x0000000000840000-0x00000000008CE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 783c5eaba774b07b48b596cf72c94ef3 |
| SHA1 | 96bbba32676cb59904eb9f138b29b03c6cd45bdf |
| SHA256 | cdd0f6504679cee24b9d92620ffd81a7ad046ff9b152f4e61eed60b2d85664a7 |
| SHA512 | 48dd24683c71c265333b72b02f87bc82cf39e722b28f622270aa47f219f1c45eaf101bad5c411cdeea8b5746f1ab39b8247e46aecd95970b4bf288acd319d697 |
memory/3660-985-0x0000000020050000-0x0000000020092000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | 3944fc40448b31410d29e95bd2636a06 |
| SHA1 | d15f3c28937f80d010ae8751ada6becaf06149ee |
| SHA256 | c1f540fa044b2e2a18bb4a2965f7cd04cd2430659626c1b5db750289b35b12d1 |
| SHA512 | 2c46431b23925c1985c7931e65e1046a4499fdf6c2a616b0dc8f5f57dd3da984e4c7063924eb123a3b3ba8e5fe5eb73af5fc47b1a498d07ca051df64bbe534c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f434c7d7782389feaf2101dac4ef32a8 |
| SHA1 | 6d1c3919b7a85981dc32fb323fcec53b27cd700c |
| SHA256 | 1477f231459f4674443554a7cb3e450f7c47c23c99b3994245c8c622258d69bf |
| SHA512 | 8e55c1c458d6cd68f2f913bed5137b445f422fd2d3fe570cc02da4dbc86fe1ce54434cb17fb0ee6b5513c79fb53d0519da65e281fc272bd8716f0066eed38436 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 88d9adb112168e7c32a6640604f6450c |
| SHA1 | 309ce8ae75167a7760a18e720f078af1c77ce7f2 |
| SHA256 | ce72f0df6a229e2e0a325250ffd9c0311df0e28cadb401e3a5b710d570bfc690 |
| SHA512 | 5290c7bbe0c7caac0f22d0a9866f63047056349bbe35722bc0feefa7abbe2c66f9cb78ea7d967c451f92a0db118037cfb20e30dce4ee4467855d36c528ec1b74 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cc054d134ecacd5109a55b4894307c70 |
| SHA1 | 2c3930528b089f7b6bcf45cf5ebc9b024038143b |
| SHA256 | c59e5ddef99758bfb7114daa3d02410066b681d5baf159bf34daa27b8321d4d5 |
| SHA512 | e6597fdaf9c0c2d9810eb93f416cea7f4449d23cc7206eec401a3b6257fcc06506c27b612ed699c477ce27f69b2f01c6de086103cbfca89587c8085a9b5a1288 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8f4f5dda7d9db15886a4fe94f24986ab |
| SHA1 | e29e467c179254ef5cb8c58b1822fb2ba72877bd |
| SHA256 | e8688b33f8a86b4f3b425ea226d548801eb235167c770afff95a5121b6467ac1 |
| SHA512 | 19e3f75e054b452c0bd72f301e8c30fd3621d424f6a9821d8c439853f6fadaff496aca37a841dd16c2b96551a0c1ec6565a08cd270258ff9817c96501c330cf7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8827452647fb742b71ec7565f771d482 |
| SHA1 | 7a0ff724d84b0f85f88a848ca3dd86956e82d63a |
| SHA256 | c4785a03c7e3f97f5b3c8c5e1e88886201a8bb5d482f6e5a030b500ceddb95a6 |
| SHA512 | 08c9a305db2e9e44e3e2086bb7bc4728cb78f5b5c2cca5bd6e448cb8e330ed76670e5e63d30dd9cb85232c23e3e02fbaea4107a80478b89ee6f9961964e2746f |
memory/3660-1083-0x000000001E5B0000-0x000000001E6B4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 27f5f97b114b0b5e4943e53a6f17c25b |
| SHA1 | 491519344b05f3bc593cd3d70f1490ba395fac9e |
| SHA256 | edd039957d8fdbaf7a7bd9db05e47baa263e2714fe1dded874807436b241d335 |
| SHA512 | ae69c1814eacd857ad0759552f67273a24b16bf20c26bd71a2b92907d1dbbbac10eb1c11383ad2aadc76971ac911efd9028f89308735ed1845c7f231d21ad611 |
\??\c:\Users\Admin\AppData\Local\Temp\ajj5kcl1\ajj5kcl1.cmdline
| MD5 | ab5f77b2ae2cf65a4e39d9bbda3a2a85 |
| SHA1 | 4f1ad1b5100c20b5342ed26f37eb534d2fd53fb7 |
| SHA256 | e7d02c479550a61913d78f140bcea67fc91f6484354c9ff22b6940418eeb1aa3 |
| SHA512 | b2a4071a2b2402c8cc2a803846a0c3671dacf61b0e6d5be3c2d2c6edfe5a227406c28da7f27c6c79a430869c77e650883498606fe9f8407f569d75ba974c935a |
\??\c:\Users\Admin\AppData\Local\Temp\ajj5kcl1\ajj5kcl1.0.cs
| MD5 | 5b2c43481422fa0a828783b00cc65b91 |
| SHA1 | 7d16a5758640904102c68c4f3156e523a2153fa6 |
| SHA256 | e6adc09b855a903448d0b5fe991e8f503a47ed0077b5eb6d7b2496aaf75de94f |
| SHA512 | 8af43bf7ab783e2d969666e7ac2720dd7432d284d731681d453ecf3ca0fea8054aa6aa7a6864860fddd11fabd5b43bb68f98fae1091949b8e420aaa5632670c1 |
\??\c:\Users\Admin\Downloads\CSCFDBC889C9FBB40809B996984B6627AAD.TMP
| MD5 | 9a7a8db3db7aef92ea9bebe2a5f9c2f7 |
| SHA1 | 44a8fbfbc03e9e45057ae8e8bf2f99c8ecd7cc73 |
| SHA256 | 9bf0178e6e71e60dcf2869f96b75daa1db209aa0d6c0376bbb99b9ca2a8b8136 |
| SHA512 | 952451447f227970c014f659c145b570bb253c67b851acb1413ac70734c36b2cf1de999a724f85c09bf1773e9d63def347da560d608bf5718fb1a61fce3321fa |
C:\Users\Admin\AppData\Local\Temp\RES3BB9.tmp
| MD5 | dd524952ca489c3c8667021de9707185 |
| SHA1 | d51bedfe8c2cb1a68ebb9c749021a494ef205b36 |
| SHA256 | a78ca40b9f7d05975359f1f880705cf1b62da657925a5bfbcfdea1bad3990443 |
| SHA512 | 3dd047df7a69280375d1b7cb45ad64f6aafb061e990d7712b62bfd67b34a3ee655e7ed868b91c7bc7ebd8e064020dac3caaa402a1f30543eb317c3c48df56304 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a72c74afa61363a80a785f9b421b78d4 |
| SHA1 | 1fb1a03bbe88ead8357556b63fff9d6d0f76fbdc |
| SHA256 | 4f932cfceaae4135ed79a146886a73f34c4b13f4fda00e89c077ca70210a9d9f |
| SHA512 | 1c972d1540294656d1047c5dfa298845a746ecdc6a03df8e5449e1d32a6f3bb22a28c6543b82af0da1330ca27d61ff8a426764ceeb0bab0c8d65bdc2f2695072 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 40fefb9d0bca0b30e843915b5ba2e308 |
| SHA1 | 7d4a49c1f13bb504565c5c282f3646052241b140 |
| SHA256 | a35986cd2589ac1a6c2e185a3ded16ad689ba65e3d43d0696f1271277bf15c78 |
| SHA512 | 4d862ec93bf08780fc3171b8772fc43c3c4da891b20b7278e82cbc320541596bb23078d29484829c0efd68588b34730ce35f4f0cea475284702f6a9fc5f36daf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 15c83f33e03a5f4bedfb6dd20ebe4439 |
| SHA1 | d0d67440fba0608fed444624b93feb14ed9dce51 |
| SHA256 | b061c38cda82fb15d8478982dd935ac05e4302023ffbc5600b0ee3e34e983d7c |
| SHA512 | 6a0318cb6487b62c389a68750b394dd57268c708fad5abce454b549aa031a6f7cf504a4a383dfa30969392d41b7551d5920bc555ca69300c99c8b03df27fc789 |
C:\Users\Admin\Downloads\hehehehehehhehehehe.exe
| MD5 | 4d32bfacc1d37f8dae7af983b9f0c223 |
| SHA1 | 47fb15c16a43c26a209bb458addea18ac356e8f6 |
| SHA256 | 2f39b4151d3fb6dcafaf1331e886f2354376fa06035248281dfa6072cb5dcd90 |
| SHA512 | f8219746c35ff31bd181fd634e8ea06752854dbac97b44e4f73b5b5ac953c7016fa51568d1838d42fb45e57e292126c7594e782abab98ce748eddd0fe3d070a3 |
memory/944-1230-0x00000000006A0000-0x00000000006AC000-memory.dmp
C:\Users\Admin\Desktop\read_it.txt
| MD5 | 4217b8b83ce3c3f70029a056546f8fd0 |
| SHA1 | 487cdb5733d073a0427418888e8f7070fe782a03 |
| SHA256 | 7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121 |
| SHA512 | 2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hehehehehehhehehehe.exe.log
| MD5 | 28d7fcc2b910da5e67ebb99451a5f598 |
| SHA1 | a5bf77a53eda1208f4f37d09d82da0b9915a6747 |
| SHA256 | 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c |
| SHA512 | 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6 |