Analysis
-
max time kernel
264s -
max time network
265s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/03/2025, 22:48
Behavioral task
behavioral1
Sample
Chaos Ransomware Builder v4.exe
Resource
win11-20250314-en
General
-
Target
Chaos Ransomware Builder v4.exe
-
Size
550KB
-
MD5
8b855e56e41a6e10d28522a20c1e0341
-
SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01
-
SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
-
SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
-
SSDEEP
3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/memory/5972-1-0x0000000000630000-0x00000000006BE000-memory.dmp family_chaos behavioral1/files/0x001b00000002b3c8-511.dat family_chaos behavioral1/files/0x001900000002b447-521.dat family_chaos behavioral1/memory/784-523-0x00000000009C0000-0x00000000009D0000-memory.dmp family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2672 bcdedit.exe 6000 bcdedit.exe -
pid Process 6124 wbadmin.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Azera Spoofer FN cheat,exe.url Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Azera Spoofer FN cheat,exe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt Azera Spoofer FN cheat,exe.exe -
Executes dropped EXE 2 IoCs
pid Process 784 Azera Spoofer FN cheat.exe 5220 Azera Spoofer FN cheat,exe.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Public\Music\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Music\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Public\Documents\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Public\Videos\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3920535620-1286624088-2946613906-1000\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Links\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Azera Spoofer FN cheat,exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini Azera Spoofer FN cheat,exe.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5wxekvz45.jpg" Azera Spoofer FN cheat,exe.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5112 vssadmin.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871574432365374" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Chaos Ransomware Builder v4.exe Key created \Registry\User\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\NotificationData Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Chaos Ransomware Builder v4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\images.jpg:Zone.Identifier chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5824 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5220 Azera Spoofer FN cheat,exe.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 784 Azera Spoofer FN cheat.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe 5220 Azera Spoofer FN cheat,exe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5972 Chaos Ransomware Builder v4.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5972 Chaos Ransomware Builder v4.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe Token: SeCreatePagefilePrivilege 4860 chrome.exe Token: SeShutdownPrivilege 4860 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5972 Chaos Ransomware Builder v4.exe 3652 chrome.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe 5972 Chaos Ransomware Builder v4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 4992 4860 chrome.exe 81 PID 4860 wrote to memory of 4992 4860 chrome.exe 81 PID 4860 wrote to memory of 1840 4860 chrome.exe 82 PID 4860 wrote to memory of 1840 4860 chrome.exe 82 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3764 4860 chrome.exe 83 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 PID 4860 wrote to memory of 3836 4860 chrome.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5972 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yk5tl3ey\yk5tl3ey.cmdline"2⤵PID:1724
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES348.tmp" "c:\Users\Admin\Desktop\CSC572ADE7D74314A7F95D33F17BB3CA8A.TMP"3⤵PID:3544
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d360dcf8,0x7ff9d360dd04,0x7ff9d360dd102⤵PID:4992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1480,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2088 /prefetch:112⤵PID:1840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2060,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2056 /prefetch:22⤵PID:3764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1416 /prefetch:132⤵PID:3836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:2168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:2328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4192,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4212 /prefetch:92⤵PID:4396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4672,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4704 /prefetch:12⤵PID:3120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5192,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5172 /prefetch:142⤵PID:5716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5428 /prefetch:142⤵PID:5172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5276,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:4308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3532 /prefetch:142⤵PID:4244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3520,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3472 /prefetch:142⤵PID:904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3480,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4516 /prefetch:142⤵PID:3684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3348,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3532 /prefetch:142⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3528,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3472 /prefetch:142⤵
- NTFS ADS
PID:5888
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:4188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2012
-
C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe"C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:784 -
C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe"C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:5220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵PID:2992
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:5112
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:5316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵PID:1908
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2672
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:6000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:5740
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:6124
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:5824
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2700
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:4968
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4904
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4520
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5a10aa86420d67146d31ecfb64fb4c474
SHA1979e28dd37bd221d8f4d1ed2551746301469c748
SHA256dabcf1e442a1e2195f1f2255aa0f585e318f440256cd44a0d8d814ece3eb274d
SHA512c503764dc5dff0f845ef87dac1d806cc51efe08472fdc8068b7adaab23ef3a79a424dfa87de14d10ebf1facb5dbdea65ccb78c3448104ab4a3b77fef419e3970
-
Filesize
215KB
MD5e8518e1e0da2abd8a5d7f28760858c87
SHA1d29d89b8a11ed64e67cbf726e2207f58bc87eead
SHA2568b2c561b597399246b97f4f8d602f0354a979cbe4eea435d9dc65539f49cea64
SHA5121c15b65bd6b998254cc6f3cbef179c266663f7b1c842229f79ff31ba30043837c398d85296fb20d3a576d9331fee9483ca0cbd06270da2d6db009bc454aee0c7
-
Filesize
78KB
MD5f19e8c212994acc0edc8c82ff01306d4
SHA1269dfd4b546fb768269f481edf6d1685440384d3
SHA256d0942ab5e215cdc9b83e6250edb8f9a74b6919caa5011d44322a875c4a6d8a5d
SHA512ff8c5129869dd3ea0c49ae60b72dbd02d587c55c845d1b8edb80116fd23f75a67a6ee6f5f60d6a4f25fab654d86e11ac7c93a27aee775094c4068691a4dc4a8d
-
Filesize
1KB
MD5f604ec131961fac0f4a8b3c1a4d9b886
SHA19e306cce55c69be6c2ec6e87da3425d3be25a9fa
SHA2563013836d07b8d83a00a30b81bd02e1482a82049599f5db5f6572b7c5b494f749
SHA512c69ce2c643df3c4ff2c3c004b9c4c731dff9bbea14d29c5618d435ca77a0cf7a1477d8564453e8f56b8c7f6cdd4b1eea7c4d545ac0e56e1614be9fe7e951cccf
-
Filesize
264KB
MD5698a357617a761582437afeebcbaf3dc
SHA1ba2422e516051d4b93705975c82d9216ebda20d9
SHA256953833ed647efb53db56233ec5d18cbbdb34254ab1873467c25e5cc5a50c4b9c
SHA512cbdb38df6b30cf679079a729dc3ff7122a52d47fb494b3612669ca31661748ca00f78430fb7be3af41f202b47fc1adcad285621312d555a26b871895a6ddf944
-
Filesize
5KB
MD5e5b6f1d2f1ef6b2758618dc5d0f25531
SHA14defd1cef9836e4a39c5dabd46a5220264663328
SHA2564c90b181f1f7c0cd3bebf0ac29e74a549424229fb9dfa288b07ec36321e52ec8
SHA51293befe522444b800c04dc612f95db37544c973061791fb89b942ad722eb0524af719205ed0ee2f552d9543e1ad277bc89b067631998aafff6d75cf04543362aa
-
Filesize
4KB
MD5356722f21239de28753c0795aa4111c6
SHA13da363b106c6729c7c345791a16e3a075ac45a27
SHA25688877e069e9ff031d6f3d6d9beeef68a4d426a0893a49174811047a94948f66f
SHA5124a8d3085e5075e5873db8fb0b45e1e5fe6f14ffefd7c953c096e84116505d98f0d0998c9325f079bb0ae3b4de291dcc4285bca22e0897e07a20399ee0fc34053
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD59c778c6c50cf7d5622569d00bb716b14
SHA1747bdf8a9df05f38cb9506bc6a1caffc407f9fe9
SHA256bc0f76c7b35610f1e3daa9452bad25c0e6e7d977c99bb0edf2c1ab3ada10f344
SHA512bce4832f3065a5aac17f9c1fbec53d50a6fb3b1ec70637edf954b7a2c6e135c150815b94e9cd96c5bf53bb40183277ee30a6457774b4aaf980edb695141084c4
-
Filesize
11KB
MD5e66cc5d24bdb62f9680660fe8ba5d768
SHA1de4723cadd227786defd2f769d464707aae793d9
SHA2568c05c53bbda28720982ba6a216b826a614ee2dcfb3baec6b534d900f98cda0ad
SHA512b30c7a768324f9fbc783fcadfef6dfbff7f06f58e5d13b11258f08cf794e902fd5ba8746ef632521e92c94d28e54f5184ad39f97edc012344282ae42927c3c7e
-
Filesize
10KB
MD5521a02640e27924b4b43195dec9d5b9b
SHA10b74b0cb821885a78167ecd4abb9d167e4e3b977
SHA2564e7ed61b09a6b393c8d0bec1a4cf11ddaad853da7cb28416174d8172c7843784
SHA5120f20d150e19dbba8ce3427b8825c9e65dbbc7048158cbf1c8c57c2d923a0e196b0e7c9b7af285e1afabd8297ded2227483abf2ca53a56daf99bd280af8ed8a9a
-
Filesize
11KB
MD55cc8942d196c67f93472006421ec945a
SHA14df4e473679fe9e0ca715dbfd62c0b54af15fffd
SHA256a99bc15a3016f385dba4c85cf6982f84babb9f2abb56f282a5f51452bbf04a99
SHA5120c4bedb081365f918feafe01ac867aaf9da33b1644fea787416795d471ed095f34df456d37850447c33d4508e083222076d7ecb2510e43fd54dcefa08bacc904
-
Filesize
11KB
MD5b48c1e3d5dfc896e2570e3e6bd30e70e
SHA1cb85b0e0e7e37eac04679d830dfa3d542dcc31fc
SHA256889f9dfe859f8db1f8400f15aad65568d4adc26443ff7032b6904094929e430e
SHA512d818627a96801ac65ea3424b702b16bbba232d8eaed346e57485e4e5f6b025a49183e71174fed3bc0e867d33772f66a80fbb672f26f9d93bd07d8b62fda5a2f8
-
Filesize
10KB
MD557bbb9d525eb2d2de2d798a3d4e09f87
SHA16387538fb5120a00d2cf0cb528205b971ed1f242
SHA256f335a68ea0856acbb60d8ea44ec0110e84ea719d68cba8560b46bc0c627004e9
SHA5126d043cb90e84ae9a0c4fa681dcafff482a38e7fc26575aa8348b55e92d1b8171ae750ea19eb2582dc1641a667d15a52cf733c24d0f72ae3164121d9aedd4382f
-
Filesize
15KB
MD5ea2f634cd4721bc2faa6a5182b1c2f48
SHA1102130eb6aa239541e62e906648456d5da3c95cd
SHA2562c22fc5b4d912bbdbe5c91cf86cf43b64c9a00a3edeed84bec1fe0f88b8db34e
SHA512546b3ceca32d2f7752fc1a734aa60c4246db4cf7c0d7104feabf71ebf3c4f3f8c65624cccbdcf8b529745048de88b79a8eeea27e590276f111d8a0da6c6a3c00
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index
Filesize72B
MD54c39abfb5ceae6da40a9c748d90e81f3
SHA1c9a3164b7d6765ceac66937090c80728686d8d6e
SHA256e7f22cdc5ad2998945d0ad946c0946392da72377193bae638a3a46ba0d6f4b92
SHA5122a0b8edbe787bee407742e2c6153df22bb7f80c237a3939fd22413dbac157cc17af9f8cda04b48d91b5dfd37477b8e3f923d5a67573f6c5c67f52fba7a8021dc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591534.TMP
Filesize48B
MD58a91b081b90ef613bbe10c70fe13e896
SHA1dfb7395f319a364428c9628b26922ac7d1050c7c
SHA2565b83a740d2535e7b9f6c4a472af380b12b3d478510415c8e8c5c915ad7451ab3
SHA512363ec53afdb0db45fc4782f523b792387a4b32ff4175430a0684cb2176ed654e7715ed998b590dcf616a49745c9eb0e917192854d50532d1607a6f4c4c01be06
-
Filesize
155KB
MD56f9786fd91d94789d38d2f479630262a
SHA13be60b741889d9e68a9ec11e999d0b4a7a5dd72c
SHA2563d3c1100d1be06d5575f0126e64d1a19b90df81e35eda43a3d6de652c3a16978
SHA51275adc24cbecc922ad62a77b7a318112cdb46183a1021f3f16696105debec251d762cc7cb12f9c29f7477d3641d81d45daa46a753eac1b131ed3d1dbf72372529
-
Filesize
80KB
MD5405feffb5f58e820904ac48f56cf618a
SHA14e59ecb80587e88b017d2828fcff2c7a3c9c1691
SHA2564ee2b73689290fbd9e71cfd1100929e2acfe9657fda9353e55a50ad184dfb134
SHA512680a96e293eb09ed5608faa6b9fe98487ff468c172c8e7ce23a893c86eb91b9e7941b765e5823f0918cbf6c7128e781af901383b9250d6986a6cf4d798b31c8b
-
Filesize
156KB
MD5d9e785ba8dd34aee549168c18babb4f5
SHA125aee125cb36b48c1b823d38b0d67e32f2a60e60
SHA2561582202e8ddff7f74e8e6a5acdc927fa10e87804b4d5deba06c7b20345c84cda
SHA51210ad5253660ca15c3d8c86f0b7008ee73df65a75a504b07c5801872018fb0698be4f074cecf08177b9b1bb34e2e8d7f2143a295d91c447b6d122283ddf390f85
-
Filesize
155KB
MD5760136b7d8ef7e9fd8f608dba55b5194
SHA11de5147b0b703e03d5f05356e66c6935064f5b9f
SHA256c4b40ac579c064c70a5b2c572e374461215faaf085555668d06653267fc97c62
SHA51228f1c4bbc04f8f636e28d3d6c0f9515a87d538c6e721f1f37050da06afea328f092215e88f25c75b4583bc7d8a8ee2387c3fa1870c06eaf0ce55732623ead28f
-
Filesize
1KB
MD5ad671303e9686ae7e3a2f356926a8e5d
SHA13ba4a44cafc2be4ab98719e44f0f2a134e8bc70b
SHA256dfb2c5d499b98924e9f0925773c0baf0a55218835bae7aae4c6b4413bda2bbec
SHA5120ac5e19e1f9c241cc919b47673f7909389c9fc66afba4b1363f502a52f5c8f3ecfbde293c2de6517593bf23bd261d54760779366677f2a1b55d1a68af22593f6
-
Filesize
9KB
MD5855a5d48f0d24820e985970e6f6ca618
SHA1b2e7613edff481a3922151108be8e9a1f9120aaa
SHA256b1a55104c8e691a13528691314619b65aa265d0f03488628805b336ab081852b
SHA51254b5402a75883c436e81595e07811ef9b483b56b5081e749271bdf1dc8fb34675a2967c02118233d21a4791c994c3d5cd2eca987eea545b30808d70973ff0dfd
-
Filesize
42KB
MD5edac1774e55bb4b063b65d5aea3a0fd5
SHA149fb36fe7010984ec3adac3cec5352fbb0cbac82
SHA2567b6bfdfe094c122531fc1bbed9849bbc53925c4f9e8d75593f23ad0e4573f925
SHA512442bc8333c3550088f2885f78939d719677f6b41f8cf7206f96511dcbc032b4e9df5969ab5078b7b1aa0354950eca97fb1399220b4ed87b3a570cc5f49bd136f
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
Filesize
7KB
MD5e094def66211b57630582dfbcdaf1e49
SHA15928db04de34fb2f2219746e3fdac94f15ee18f2
SHA256a790aaed25c0b28dac9c789b6324fa0586a89995532d02e827ed35f94f92d18b
SHA512884bcbf70967eb113bc1d3edcbf52eca7b0fdac83c2e8dfdbf0267c50e807d84f48e5d6b74ad1ee98467802016f462ee1bf72cec0d04b576918372d30c6d84b9
-
Filesize
165B
MD5bbac3c7a2285a2f37c23a092685a8671
SHA1fd84b75347bb429cfeeadd1461c29520b4770020
SHA256aa614c815dace73abdc468c8ca33dce8157809603b7821af4974dfacdc916386
SHA512c6d45e56ee1d63c2ef74790bb8c9339577b9e8fd8a25daf14cb54bb384e3c8bab1481134a24259615e8fb8b8dd1fbe0a072f0e443fc06978add6899cf51966d5
-
Filesize
40KB
MD5387509d4dd359da7aaf8bd96199ce89a
SHA191232b9593921e59dafc47ead80412d4a751a54d
SHA25631baa2e963593e4f4350e368308cd2b045e8bc09d9a806d0a03aef54d547c01c
SHA512713b30e54e5658a0217aaeb71105fb3d08cd92da816fd3f393c0b723f2ae984ad1f2860b6dab20f8e51a43e9ef07cac71fa1d981259cfc7f6bde52d0d5b11c2b
-
Filesize
348B
MD5246593be7ea833941fc8f204930bad13
SHA110c3f3294834731e1c495786290cbce1c8e20534
SHA2564c5d5cb35125c6848de2fb0e68104fecbd07a03a369590310a724c1abbce77df
SHA5125c354130d5e992adec1febaed07cacc283a94a278ead340398755c64f4e9e94ac381525d6a65589873d568626981c0f55be3f08c366534e07e4b4b6d0f9eb970
-
Filesize
1KB
MD5c5458e46a7b994788ea4fd37c438fa21
SHA1a5e04d4d3a9a8473f19bebd4eb96ead671cb9d54
SHA256d7d5eedbdf8dfc851c86d95db391a698b342276fac9962de924a1e4e47c67525
SHA51250de1a5b12b35e268bd737af751be7536da67260546f2db8a80bac9d05eab72069d6c48eaceb746bac1071132c2fc2ccc5a8869b67d6c59c7867eac2505c0793