Malware Analysis Report

2024-08-06 16:18

Sample ID 240702-slc5esyara
Target Chaos Ransomware Builder v4.exe
SHA256 f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
Tags
chaos ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

Threat Level: Known bad

The file Chaos Ransomware Builder v4.exe was found to be: Known bad.

Malicious Activity Summary

chaos ransomware spyware stealer

Chaos family

Chaos Ransomware

Chaos

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Opens file in notepad (likely ransom note)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-02 15:12

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 15:12

Reported

2024-07-02 15:18

Platform

win10-20240404-en

Max time kernel

359s

Max time network

336s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Videos\hh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Videos\hh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Videos\hh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Videos\hh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Videos\hh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-873560699-1074803302-2326074425-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 600031000000000084584e6310004d594e4f54457e310000480009000400efbe84584d6384584e632e000000cb760000000012000000000000000000000000000000183996004d00790020004e006f007400650062006f006f006b00000018000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000020000000100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\NodeSlot = "4" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0400000003000000000000000100000002000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000030000000100000002000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\LogicalViewMode = "3" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\IconSize = "96" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 02000000010000000000000003000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000030000000200000001000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 = 3a002e8096f2fd3decdbb44f81d16a3438bcf4de260001002600efbe11000000a4aa36d68986da01e23ddc7a9586da01e23ddc7a9586da0114000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a4aa36d68986da01083e0dd78986da0157dc0ad78986da0114000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\Downloads\hvh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\hvh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\hvh2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\hvh2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\hvh2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\hvh2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\hvh2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\hvh2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\hvh2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\hh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\hh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\hh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\hh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\hh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4764 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1056 wrote to memory of 4168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1056 wrote to memory of 4168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2944 wrote to memory of 2616 N/A C:\Users\Admin\Downloads\hvh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2944 wrote to memory of 2616 N/A C:\Users\Admin\Downloads\hvh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2616 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2616 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 4764 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4764 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4652 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4652 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4100 wrote to memory of 2964 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4100 wrote to memory of 2964 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4540 wrote to memory of 2484 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4540 wrote to memory of 2484 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2156 wrote to memory of 2100 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2156 wrote to memory of 2100 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1272 wrote to memory of 2192 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1272 wrote to memory of 2192 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1544 wrote to memory of 1748 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1544 wrote to memory of 1748 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4280 wrote to memory of 3864 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4280 wrote to memory of 3864 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3984 wrote to memory of 4336 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3984 wrote to memory of 4336 N/A C:\Users\Admin\Downloads\hvh2.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4764 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4764 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3868 wrote to memory of 4612 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3868 wrote to memory of 4612 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 992 wrote to memory of 4196 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 992 wrote to memory of 4196 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 4428 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 4428 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1236 wrote to memory of 4452 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1236 wrote to memory of 4452 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1704 wrote to memory of 1940 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1704 wrote to memory of 1940 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 604 wrote to memory of 4124 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 604 wrote to memory of 4124 N/A C:\Users\Admin\Videos\hh.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe

"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s fdPHost

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5b5teebi\5b5teebi.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3781.tmp" "c:\Users\Admin\Downloads\CSCFA921DB9FAAB40B7B0373418F122BDAB.TMP"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\hvh.exe

"C:\Users\Admin\Downloads\hvh.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ciy3xpv0\ciy3xpv0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2B3.tmp" "c:\Users\Admin\Downloads\CSC93B926F2CADA4E11B82357DFB72E606F.TMP"

C:\Users\Admin\Downloads\hvh2.exe

"C:\Users\Admin\Downloads\hvh2.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Downloads\hvh2.exe

"C:\Users\Admin\Downloads\hvh2.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Downloads\hvh2.exe

"C:\Users\Admin\Downloads\hvh2.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Downloads\hvh2.exe

"C:\Users\Admin\Downloads\hvh2.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Downloads\hvh2.exe

"C:\Users\Admin\Downloads\hvh2.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Downloads\hvh2.exe

"C:\Users\Admin\Downloads\hvh2.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\read_it.txt

C:\Users\Admin\Downloads\hvh2.exe

"C:\Users\Admin\Downloads\hvh2.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3emxat4l\3emxat4l.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8CA.tmp" "c:\Users\Admin\Videos\CSC5D3AD5B232A94ED788E06540B1492B70.TMP"

C:\Users\Admin\Videos\hh.exe

"C:\Users\Admin\Videos\hh.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Videos\read_it.txt

C:\Users\Admin\Videos\hh.exe

"C:\Users\Admin\Videos\hh.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Videos\hh.exe

"C:\Users\Admin\Videos\hh.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Videos\hh.exe

"C:\Users\Admin\Videos\hh.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Videos\hh.exe

"C:\Users\Admin\Videos\hh.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
N/A 239.255.255.250:3702 udp
N/A 239.255.255.250:3702 udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

memory/4764-0-0x0000000000550000-0x00000000005DE000-memory.dmp

memory/4764-1-0x00007FFFF2EF3000-0x00007FFFF2EF4000-memory.dmp

memory/4764-2-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/4764-3-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/4764-4-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/4764-5-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/4764-6-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/4764-7-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/4764-8-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\5b5teebi\5b5teebi.cmdline

MD5 45d84f41f3467d73c157a994696db721
SHA1 7406887d2bde4f9da094ddab05b5cd33ade0a619
SHA256 2491ed569d5e1ce3915a923d0c2eb0c94643eb92860466fceca64a7ea2880085
SHA512 71c60f34f04e5301d697004ce0c7917ff6ff22c0b4e61db5380b8d85b65b40be76519634b4dc6491d79ade87d8fcb0da9730587db5cc75fb23a4011d2d1cc463

\??\c:\Users\Admin\AppData\Local\Temp\5b5teebi\5b5teebi.0.cs

MD5 76e03563ee3ab915bce443d213332ee7
SHA1 145d7da3c060b50eec81085a8fd05fcc3d849e78
SHA256 4c83fba26f2af551ca9044aca13e24ee109228b0c06563ebe75e36a0d294c607
SHA512 d40bb7d1d1427557198332d7ccd82182179a5cf2d61d0674f16d1b80104d6a1b111473f32965bbdb48f9e98ac386be5bf0bff7a0f80121bed58e6a482731bc1f

\??\c:\Users\Admin\Downloads\CSCFA921DB9FAAB40B7B0373418F122BDAB.TMP

MD5 db48332b666058d0db48a5461f5356b4
SHA1 27af6df905030477b1feadd0124d5313c1e432e5
SHA256 e73451e991906956e4576d56bca26246ff87c5d283f0305e128a72996349bbb5
SHA512 8f6729bc3e258edb6794806af3aa6e6f51f44290511405388e1d74cd5b447553a53d07fdd4f0b3a29ad5f2d23c310ac9ab23f980a5ab693201ea883661a600ad

C:\Users\Admin\AppData\Local\Temp\RES3781.tmp

MD5 2814d1c4b8a6a3d732792e1d552006df
SHA1 1c3afdf9da77539f3795897c6faf453e3ddcbb6b
SHA256 6b7d703a09d34cf5fb03e281e42705debbe04052df6b63d1006a9fd305418217
SHA512 766d191bcec2e0b7e32abe97cfc2734dd2771149e57fe9b87fcc0391db623b574bb9d40c2738e8583abb287341a247f67c62be68a3adba0d11d597eda9a27a80

C:\Users\Admin\Downloads\hvh.exe

MD5 e9dc585ab8f95b9f729b56ca42cca9ba
SHA1 c5cb88cccf8d3670429dfda773fee2ca4f42a5eb
SHA256 f513cf9d3ee246a8ebc2f2d042fd38b6322a11d45fad06ee6d8b588cc1475f4a
SHA512 c7f8aba38636b3f05654eb99323a42f0e3978cee075df8cb4a72081c31dc899d4f82d99bc5d646027d5b267786b297b934860f763f5346fa47805463d3890476

memory/2944-24-0x0000000000A40000-0x0000000000A4C000-memory.dmp

C:\Users\Admin\Desktop\read_it.txt

MD5 4217b8b83ce3c3f70029a056546f8fd0
SHA1 487cdb5733d073a0427418888e8f7070fe782a03
SHA256 7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA512 2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

\??\c:\Users\Admin\AppData\Local\Temp\ciy3xpv0\ciy3xpv0.cmdline

MD5 cf8b004437b296432c6004f8886a3b82
SHA1 21b68fa4d20847ed84bdd6c0a62cbba7f646d3f3
SHA256 0a2ce1c1f32cbd2ce717fffe3a13ccb12d9c7d90d2f9b1a826c9ad7ac43b3832
SHA512 693bc70999823f35e06a84a20f93f3a38b937f7bb31233a96d4475268e219e469e9cab6021a0d0bae0c17468a534a794dfb6e3282d013c082bfb918b0279139f

\??\c:\Users\Admin\AppData\Local\Temp\ciy3xpv0\ciy3xpv0.0.cs

MD5 b93d9fedf0aa811b180702c955689d32
SHA1 eda69f5cf72fd6b585d8ca04ac32cc83f2259cd0
SHA256 db542b1ad2ff5cbda54e99bbacd1eb28601d95611a4037688b9fc84f18de367b
SHA512 e183c3cad9bc4625e2d6a20b36e5a1c7df4e9a1d3df64f0ba077572198f419e790b4f6fcc9823cd6d7ded4e18d05e309c63efdb2e0cdac1d434104e614a4b33a

\??\c:\Users\Admin\Downloads\CSC93B926F2CADA4E11B82357DFB72E606F.TMP

MD5 2d6d577ab2659db54138a9f9c2485ff9
SHA1 6b78174240a1b991f26b3f2240270cbff8d69c99
SHA256 ca21b81bdf5d7cad77d3b8e4c4bc5ead801d7499618cc2be010082a2de18a02e
SHA512 fe1dcf6e14110f1ee6f5e5d2a7f0ceec1e8fea1060505ec5b309a05683ddb69b4b690802e5c70b5a5963abf54806dc30e72c01164b9eb7421874d453c04cfaa7

C:\Users\Admin\AppData\Local\Temp\RESD2B3.tmp

MD5 fb87da658fc19c301ddb96b67d696901
SHA1 36eb536642a608b737c485d5594c9b00fe269918
SHA256 695fef2f05da4e3bec28b87f869d35de63156381b21e001b0301c174234f0bae
SHA512 26077b5c3c65a91b4c54486d1549c3982cb05f469c3ff0255538b315759a8c247b25dfab07924def7bf0e4aad82cd6c5d95b94fd479c17922d7dea216d5f3111

C:\Users\Admin\Downloads\hvh2.exe

MD5 a55063d63b7941c46ce307ade2127466
SHA1 2c3060b127b350520ee438d8e27e48abaad69624
SHA256 53d34689f921600a0c83153b71846639213462cfb425272f88840265202a0671
SHA512 d548806e47e2a79c4036cce2073128a80cd036a399058223c69a2d6d098192163c3d988ce9d2017424af7db99ecb8ee75bb44218f8a96730f97c8eb09146fd9a

memory/4100-108-0x0000000000E40000-0x0000000000E4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hvh2.exe.log

MD5 d78293ab15ad25b5d6e8740fe5fd3872
SHA1 51b70837f90f2bff910daee706e6be8d62a3550e
SHA256 4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3
SHA512 1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

\??\c:\Users\Admin\AppData\Local\Temp\3emxat4l\3emxat4l.cmdline

MD5 e305cd011f0fb399b8d7227ea2f8bd48
SHA1 d69799afe5522cb3844f687d54b374e1398f67c8
SHA256 14d9f8973f1312cdec9242fa24dd4ff837b3f772af9db5492d28517e226ecd2d
SHA512 d502f0a773f402ad7f28e727d5c655238cdfa8030ca5f10fe2997ebd071d6e8d671da1b27c67e7c3e8a5afaa00d6b2cd8794284aedecdae4c59aa2a5d332f054

\??\c:\Users\Admin\Videos\CSC5D3AD5B232A94ED788E06540B1492B70.TMP

MD5 2af36729151d1d1bdbb914d4a1c51154
SHA1 c0c4595f7e58d91810d4c5c9615c1fd16a3c6006
SHA256 95efd991a11ca7a45ffa5e854c784b844e6e132a274c1d1d694d177efb77dc54
SHA512 e69107b36c8b8ba98d415208f2c88d822ca6d3d36ed23031e112a7e145865a149b8296c4920b746920eb1dbe95e01c975853811c770aee97c36be89aa08a3988

C:\Users\Admin\AppData\Local\Temp\RESA8CA.tmp

MD5 446909f931ce5e5dbce23a698406cd8c
SHA1 94ed6442c0b4a9969cdefb23598e3fb2666daa56
SHA256 d52937ffe989768a623b39981fead41fad242b44a9a1f3b1071551766c3c86e5
SHA512 8093b42a02b329a26d62186378bbcde2a56a3427d7999be0ad4b70d0a3c287a09b6ae1595ca870822dfc25034d3259d3f02dba700978dec36a917489eb8b4f1c

C:\Users\Admin\Videos\hh.exe

MD5 4e6b22236ac97a727f4f90ead2f2bbf9
SHA1 3a3f45aea9241660f4b4ee565645d69991779df2
SHA256 42fa99e7d3d6c693ceb75e464474456382a98734bbfcef40c3f6481fd15f3a46
SHA512 581884fa3e4053d284491a26dfe5bcfdfa3d9d2ac81f0dd7de292be75839702b26f4ecc8c9dcd7c9b9f5f487e7ebcc6b29e2f68e8fa19d240fa10d6192b09cda

memory/992-141-0x0000000000B10000-0x0000000000B1C000-memory.dmp