Analysis
-
max time kernel
1049s -
max time network
428s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 16:09
Behavioral task
behavioral1
Sample
Chaos Ransomware Builder v5.2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Chaos Ransomware Builder v5.2.exe
Resource
win10v2004-20241007-en
General
-
Target
Chaos Ransomware Builder v5.2.exe
-
Size
560KB
-
MD5
02a37759bd104561f7730225388526fa
-
SHA1
e02d8913f43d8d7843045d25eb369e0e086d7fb2
-
SHA256
38adb3e1431726978b41a80227f22159fddfaeed174ddd2d569e6de4177d3589
-
SHA512
55967de3de1ec177fd1f1d34571072c8fc3e3e4e657d35260db405e6d9f02fbb143b3a9f3d5f423572212e46394fd6953bfcb3d7fcc199126b5710dcab5af0f3
-
SSDEEP
3072:ERbKSiIsAumFi2YcRVm16Pn6uXFsGoi2YcRTmH6PG6d5kCQLajjjjjjjjjjjjjjx:ERbKediWm16FEiqmH65aziym168
Malware Config
Extracted
C:\Users\Admin\AppData\Local\read_it.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral2/memory/4408-1-0x0000000000E20000-0x0000000000EB0000-memory.dmp family_chaos behavioral2/files/0x0009000000023bdb-17.dat family_chaos behavioral2/files/0x0008000000023c15-25.dat family_chaos behavioral2/memory/4824-27-0x0000000000CE0000-0x0000000000CEC000-memory.dmp family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1360 bcdedit.exe 1524 bcdedit.exe -
pid Process 4292 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation fdfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 4824 fdfe.exe 3928 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 640 vssadmin.exe -
Modifies registry class 59 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v5.2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Chaos Ransomware Builder v5.2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v5.2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Chaos Ransomware Builder v5.2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" Chaos Ransomware Builder v5.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Chaos Ransomware Builder v5.2.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v5.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Chaos Ransomware Builder v5.2.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3972 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3928 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 4824 fdfe.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeDebugPrivilege 4408 Chaos Ransomware Builder v5.2.exe Token: SeDebugPrivilege 4824 fdfe.exe Token: SeDebugPrivilege 3928 svchost.exe Token: SeBackupPrivilege 536 vssvc.exe Token: SeRestorePrivilege 536 vssvc.exe Token: SeAuditPrivilege 536 vssvc.exe Token: SeIncreaseQuotaPrivilege 5044 WMIC.exe Token: SeSecurityPrivilege 5044 WMIC.exe Token: SeTakeOwnershipPrivilege 5044 WMIC.exe Token: SeLoadDriverPrivilege 5044 WMIC.exe Token: SeSystemProfilePrivilege 5044 WMIC.exe Token: SeSystemtimePrivilege 5044 WMIC.exe Token: SeProfSingleProcessPrivilege 5044 WMIC.exe Token: SeIncBasePriorityPrivilege 5044 WMIC.exe Token: SeCreatePagefilePrivilege 5044 WMIC.exe Token: SeBackupPrivilege 5044 WMIC.exe Token: SeRestorePrivilege 5044 WMIC.exe Token: SeShutdownPrivilege 5044 WMIC.exe Token: SeDebugPrivilege 5044 WMIC.exe Token: SeSystemEnvironmentPrivilege 5044 WMIC.exe Token: SeRemoteShutdownPrivilege 5044 WMIC.exe Token: SeUndockPrivilege 5044 WMIC.exe Token: SeManageVolumePrivilege 5044 WMIC.exe Token: 33 5044 WMIC.exe Token: 34 5044 WMIC.exe Token: 35 5044 WMIC.exe Token: 36 5044 WMIC.exe Token: SeIncreaseQuotaPrivilege 5044 WMIC.exe Token: SeSecurityPrivilege 5044 WMIC.exe Token: SeTakeOwnershipPrivilege 5044 WMIC.exe Token: SeLoadDriverPrivilege 5044 WMIC.exe Token: SeSystemProfilePrivilege 5044 WMIC.exe Token: SeSystemtimePrivilege 5044 WMIC.exe Token: SeProfSingleProcessPrivilege 5044 WMIC.exe Token: SeIncBasePriorityPrivilege 5044 WMIC.exe Token: SeCreatePagefilePrivilege 5044 WMIC.exe Token: SeBackupPrivilege 5044 WMIC.exe Token: SeRestorePrivilege 5044 WMIC.exe Token: SeShutdownPrivilege 5044 WMIC.exe Token: SeDebugPrivilege 5044 WMIC.exe Token: SeSystemEnvironmentPrivilege 5044 WMIC.exe Token: SeRemoteShutdownPrivilege 5044 WMIC.exe Token: SeUndockPrivilege 5044 WMIC.exe Token: SeManageVolumePrivilege 5044 WMIC.exe Token: 33 5044 WMIC.exe Token: 34 5044 WMIC.exe Token: 35 5044 WMIC.exe Token: 36 5044 WMIC.exe Token: SeBackupPrivilege 1896 wbengine.exe Token: SeRestorePrivilege 1896 wbengine.exe Token: SeSecurityPrivilege 1896 wbengine.exe Token: SeShutdownPrivilege 4044 chrome.exe Token: SeCreatePagefilePrivilege 4044 chrome.exe Token: SeShutdownPrivilege 4044 chrome.exe Token: SeCreatePagefilePrivilege 4044 chrome.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 3972 NOTEPAD.EXE 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe 4044 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4408 Chaos Ransomware Builder v5.2.exe 4408 Chaos Ransomware Builder v5.2.exe 4176 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4408 wrote to memory of 4688 4408 Chaos Ransomware Builder v5.2.exe 102 PID 4408 wrote to memory of 4688 4408 Chaos Ransomware Builder v5.2.exe 102 PID 4688 wrote to memory of 2320 4688 csc.exe 104 PID 4688 wrote to memory of 2320 4688 csc.exe 104 PID 4824 wrote to memory of 3928 4824 fdfe.exe 111 PID 4824 wrote to memory of 3928 4824 fdfe.exe 111 PID 3928 wrote to memory of 4384 3928 svchost.exe 112 PID 3928 wrote to memory of 4384 3928 svchost.exe 112 PID 4384 wrote to memory of 640 4384 cmd.exe 114 PID 4384 wrote to memory of 640 4384 cmd.exe 114 PID 4384 wrote to memory of 5044 4384 cmd.exe 118 PID 4384 wrote to memory of 5044 4384 cmd.exe 118 PID 3928 wrote to memory of 4624 3928 svchost.exe 120 PID 3928 wrote to memory of 4624 3928 svchost.exe 120 PID 4624 wrote to memory of 1360 4624 cmd.exe 122 PID 4624 wrote to memory of 1360 4624 cmd.exe 122 PID 4624 wrote to memory of 1524 4624 cmd.exe 123 PID 4624 wrote to memory of 1524 4624 cmd.exe 123 PID 3928 wrote to memory of 2512 3928 svchost.exe 124 PID 3928 wrote to memory of 2512 3928 svchost.exe 124 PID 2512 wrote to memory of 4292 2512 cmd.exe 126 PID 2512 wrote to memory of 4292 2512 cmd.exe 126 PID 3928 wrote to memory of 3972 3928 svchost.exe 133 PID 3928 wrote to memory of 3972 3928 svchost.exe 133 PID 4044 wrote to memory of 4236 4044 chrome.exe 143 PID 4044 wrote to memory of 4236 4044 chrome.exe 143 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 1664 4044 chrome.exe 144 PID 4044 wrote to memory of 2896 4044 chrome.exe 145 PID 4044 wrote to memory of 2896 4044 chrome.exe 145 PID 4044 wrote to memory of 1720 4044 chrome.exe 146 PID 4044 wrote to memory of 1720 4044 chrome.exe 146 PID 4044 wrote to memory of 1720 4044 chrome.exe 146 PID 4044 wrote to memory of 1720 4044 chrome.exe 146 PID 4044 wrote to memory of 1720 4044 chrome.exe 146 PID 4044 wrote to memory of 1720 4044 chrome.exe 146 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v5.2.exe"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v5.2.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iycahnyp\iycahnyp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B80.tmp" "c:\Users\Admin\Downloads\CSCF175A03FF17E4A338B64843BE5ACE470.TMP"3⤵PID:2320
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2916
-
C:\Users\Admin\Downloads\fdfe.exe"C:\Users\Admin\Downloads\fdfe.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:640
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1360
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4292
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3972
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:536
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2168
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4672
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4176
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffee6fecc40,0x7ffee6fecc4c,0x7ffee6fecc582⤵PID:4236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:22⤵PID:1664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:32⤵PID:2896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:82⤵PID:1720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:12⤵PID:268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:5032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:12⤵PID:3860
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:548
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:1644
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Options_RunDLL 01⤵PID:4440
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52e878c415f982ce5922a5a23f756dbb6
SHA1a29bdf66f17d01c6f42f809e4a5911f99023c9c8
SHA256b04eabacc296ef3dfdbde6e0d3d7d50e9b8942edde072fbd2597330a96931881
SHA5122e5dd96509acc1b5a3a4511de26ae4db018b4fa29719e4f7249d7d7b994db842d935770b62de09bbbe42350d51ba10b4faf5e39bf4790b2a3a201e20d9789256
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5331a7cf0f126d233ebf762d8b03a337e
SHA15e78b2f299cae693e7ea97c211acf82ccffe6ce9
SHA256a3e82d40a4abdb52624c4faf66650d62de95a0cf5b6ef4b15d176bdd616f2c79
SHA51224a9677a6c24738dc87f7c77e4015f1e503cf81e022a83e1ef84affcb2305de3c642f53c836d95707a19152d435905208309415565087ae7573ab209f61af0bf
-
Filesize
8KB
MD5785dfe8e237d9e96f979c2c5f1f8a627
SHA11afa8c2f3a1b7daa41506debb26c91688cfbd1f9
SHA25611f5b53b4494bf63e00ad8a9bf34a2c1b984961999f4c90086b9db9cb4262de2
SHA51286adcc1e46667d27d46b4f917e1a9c79f2602946e97fce65f119c46a7994795d4a8bfda55bb923ec691b7d743f42c0c8ece8950297bc235b4d7b3caa23dc5caa
-
Filesize
116KB
MD53d8376c95154795e2547eaeab2c9970a
SHA1612ff9016b1d68760f979f5942cf2968a834c340
SHA25638239cc9e020b95ebaad405d07ef77ac028440cee51ded3d46798816593f5238
SHA51216cf78e6dc5cbfae046a32517c3126c2cfcf65bbac5117f91330a87f36fd478e612caf03f46bd7654cfdfe8e79ceb458be70b98f805828115d9f9afde1232add
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
1KB
MD5a08cdbbd2b89994e92aff6c10e8ca132
SHA1440169713a4f86f1fb27ae7ced8a85b900840a47
SHA25618f8a2a97036e737975f2e1cdeadd2a515a39d200763ab91c306d30216f5b0b1
SHA5128557a12196b131f17711039a09903c8e9acf568d16086821e24a706292a66aee07cba521ed360df01e9b0bd7a3d636164873a6535802a6fdeb105ad13eb0c089
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
26KB
MD5e4f9e92962a5d53e4f4f32bbab9466ec
SHA1e8a3737c88b92a56efe1c17a6ea4eb11eab43038
SHA2564c018f23f92b3c151c21ecae64db78d52c3d7dc134e9cc20743cf2552bb8fa59
SHA512ccf1ddd85a413aa59db4a833139acced14040f8bd0de0a37d002c711adaff2904868db4109728972dfa5c6684401728df2ee683197780877556eb80e5e2b4f32
-
Filesize
37KB
MD5ea1f7621042d8b45eb254d13c13aa906
SHA1910444812b5dc417d1f2410c6b00ac5fc3112593
SHA2566a0c37616266e514520ee4e9ef88844036c10434d4a3e98bd0c32dcb5b9f71df
SHA512c7d257216981ae7b8bb1a74f64e90df442db121e34582482f0f6fa984fdc875c945fa31203e79bef96b5866bf71a7af11e212a650cfae64254af3ca19ab4343e
-
Filesize
357B
MD55a90185b0af724e1989f6adf432efc72
SHA10fee3b4c5910a84d0c332b16dea66821f117e47f
SHA2562ec6a8eeb6e0e25041f2c6fac758071293932c6fab9b9a7e7c6d514c454a3b9f
SHA5126196da01ff7722f00211aafa04db8b407c1f9a36701fcf8245efc0e269b8ae0770c1ce869bb936782f4c8c56a1f7d5cf8487d7cf0cb05d18ad13a00f97390e41
-
Filesize
1KB
MD5646da1b567f56506b727e182c412c7ad
SHA12a762a72450485582379e3b30d6c25d875ce473e
SHA256865a210c21794bd0c4fdc6be71c685ec1768cf01a2bb5cad5e601fbfa14adae2
SHA512020a31d575d04ba960861e56c9f3ad753a0f772ae6938aa2467a0302c1c22306b371132ad2a6bb87e6bda308e52141397ba446238bc41b7ec0beeee76075339c