Analysis
-
max time kernel
71s -
max time network
64s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
25-11-2024 02:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1308616008101269526/1310430117843046440/Chaos_Ransomware_Builder_v4.exe?ex=674530a6&is=6743df26&hm=77c5ef4ffed41ac87fab65e00e50e68702e6fc09940f8fb8fde82c3c6fbbcc0b&
Resource
win10ltsc2021-20241023-en
General
-
Target
https://cdn.discordapp.com/attachments/1308616008101269526/1310430117843046440/Chaos_Ransomware_Builder_v4.exe?ex=674530a6&is=6743df26&hm=77c5ef4ffed41ac87fab65e00e50e68702e6fc09940f8fb8fde82c3c6fbbcc0b&
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/files/0x002a0000000450de-29.dat family_chaos behavioral1/memory/3772-53-0x0000000000D00000-0x0000000000D8E000-memory.dmp family_chaos -
Chaos family
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3772 Chaos Ransomware Builder v4.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133769750149813597" chrome.exe -
Modifies registry class 32 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Chaos Ransomware Builder v4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000 Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Chaos Ransomware Builder v4.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4696 chrome.exe 4696 chrome.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe 3772 Chaos Ransomware Builder v4.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4696 chrome.exe 4696 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeDebugPrivilege 3772 Chaos Ransomware Builder v4.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe Token: SeCreatePagefilePrivilege 4696 chrome.exe Token: SeShutdownPrivilege 4696 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3772 Chaos Ransomware Builder v4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4696 wrote to memory of 4704 4696 chrome.exe 83 PID 4696 wrote to memory of 4704 4696 chrome.exe 83 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 4164 4696 chrome.exe 84 PID 4696 wrote to memory of 5116 4696 chrome.exe 85 PID 4696 wrote to memory of 5116 4696 chrome.exe 85 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 PID 4696 wrote to memory of 4656 4696 chrome.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1308616008101269526/1310430117843046440/Chaos_Ransomware_Builder_v4.exe?ex=674530a6&is=6743df26&hm=77c5ef4ffed41ac87fab65e00e50e68702e6fc09940f8fb8fde82c3c6fbbcc0b&1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffccea6cc40,0x7ffccea6cc4c,0x7ffccea6cc582⤵PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2064,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:4164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2484 /prefetch:32⤵PID:5116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2116,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2424 /prefetch:82⤵PID:4656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:3928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:2224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5044,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5056 /prefetch:82⤵PID:2612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5068,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5092 /prefetch:82⤵PID:2832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5396,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5404 /prefetch:82⤵PID:3184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4472,i,12294703492472124678,5563764969246372558,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4460 /prefetch:82⤵PID:3148
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3320
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2392
-
C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe"C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD544ba3b3d169df6851b017c0348ceff8f
SHA129852b73b48859c6d0a79deb8ca941868f341fd1
SHA256b76864f5879c72890f15cc9e6c6bd229196ba46e5319022f4cd031314e7ec23a
SHA512f0d28bcd7745121705b0f0e42534badbfaa88a651b320cd4795aa18224c94a3efc8e8c9f66c8878a34d07a92ab08cb1734f90265ad810e5d0179224f7ddf861c
-
Filesize
2KB
MD55cefa7167ca7a7729f883781d1a12a81
SHA13a7da019163a1ec9e58149d8b0b1855722cdf1ab
SHA256ce4cfc395a59df0b30c9b3f2998f28ee4e8e9101624cb76b180b8d9c66f0a38b
SHA5120f8921760f77ed1997a1ee99810ca05cdaf95d3b186aa8f95ed31f725a5e6e645d219f04e6adefe7923709f3d90afc876fe1eb033cbc44c9ba2bc1f51d9cf84b
-
Filesize
1KB
MD549969da7a3f845e3426566f30e0a0fbb
SHA15c7991bf9c9935dcb7ea398be495c2c0d12bd186
SHA2562e09550a44225de5c97e9d5b5cc95c19c8bff2da394d85d317e5db59724dab4a
SHA512dc60f723e228303e482cf21a82561946282d95c85effb7561fca32f2cebebe0fad0e8942cbd4dee91ac175db0a99911be7771693cfac01a60706f9fb4602482d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD58051cae0116b65ac04fa40fec1aa41c1
SHA1f488020e43f66b2677b3d09ca14aec914ef48600
SHA256e64d3a7c4de9644d0e732292d20db7bc22385ea71b458102ceb86ea8dcdd5f15
SHA512a4359a258065a2735349f70dc6f6735bd5420fd3d49de5bc811ad63141b06ad82b2503d5b7b0876019bacd30635aa5a7bb4d2e92ca412520a5c92c65a85ab9fd
-
Filesize
9KB
MD56344ef6c626fbd7e790dee7c3a734372
SHA106de594898762aa50e19ee0cf856a6ef2348b8e9
SHA25616ea5464d9eb54bed2ee617bf9a35b804bf64be2cb0b21e5a34429f5f291dd95
SHA5128d6bb5fd1a8161c553a855203b2975ee0af6ac7909884395f98aa03f9ff3b94a9c97f3642a668258ea7c06edbb7d7cd4b75c7c970e6599665e31bbcd717fea61
-
Filesize
9KB
MD558e1b6ce3cfb4df0ed43f8c01c471133
SHA188bc0b259f57ef4c932f9a6fe83b15734d4e8227
SHA25626f3bbc1893479ca513032e724faff2904903ba4e1528c6456882dacf11c7ed5
SHA512ebcb2ec64596e58bf516ce2a26981fd7454e73d7820308e51bf3ca1dbec935791017e9e2d276709670acd813d6a79409f1e1db0664e3917aabdce334b9450b7e
-
Filesize
9KB
MD530ea85fc636778ccfcc5fe9eedfd3b66
SHA1442e203edea2425423414577e752c4abb64295a3
SHA256be0eb331f1b015e7e015e496a37d249d092d1c6ca8a5bea4b722e241228285b5
SHA512156f3ca0e5543a78147db39b0ae475a009cf8975d1c0614255a0dd7bc2d90ca57c87af7e438d8e7e9ac0dbabb3740e8020a7cdb5fccbfd9c3dac0b8754d414e3
-
Filesize
9KB
MD5056b917228d63a823e829126d9af1d9e
SHA191f8b8d60c4170bb379b8ed325b9a02f56e9e20f
SHA2567563c95c563adb53f5624fe559c6bbed43fcdceb7942e222828bbcf461ac8a5e
SHA512828933bafab2a4b624f8e2b70a15e28ae934a2852fab69c424a092ffe147b3888517311095ae5aa6f5c2c4244dadf88e55ab1966e96e55fec7b8d1e6739537c8
-
Filesize
118KB
MD5f4166eed4ac4498db1f8f1ff2153a0ed
SHA1afad548db038a16029fa73f5e2d13fc88afeece0
SHA25675ce915cdc4d9bdec8a89ed0bfedae51c260aacd5016b8fb776c70315a52fbc2
SHA512e00eb257595211919a9fe389d8dd4e120f12403ef170f03574e15e7476d8acece5d597990df3a871370314dd50488d07d328aac05020ab0340d6da3e607a33e7
-
Filesize
118KB
MD59644b5ef12b9d41b0778844af6e7bf30
SHA16f7c1db38c81d201dea24c9d3f8d001d6b63f2f3
SHA2561e11e8f03a73772ae155435abfe1479a1ceb75115d4375165426cf4b924ee90b
SHA512ca35e2791d08824cb41d78e168dfdc8383c98cdd64fd8952a79a07ce4496389c3e843d8698a10f2e0234c4254f1dcacd4fd493265e0701c3996f0ca3b47ef435
-
Filesize
550KB
MD58b855e56e41a6e10d28522a20c1e0341
SHA117ea75272cfe3749c6727388fd444d2c970f9d01
SHA256f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908