Malware Analysis Report

2025-04-13 21:19

Sample ID 250322-2rhrjasvfw
Target Chaos Ransomware Builder v4.exe
SHA256 f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
Tags
chaos defense_evasion discovery evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

Threat Level: Known bad

The file Chaos Ransomware Builder v4.exe was found to be: Known bad.

Malicious Activity Summary

chaos defense_evasion discovery evasion execution impact ransomware spyware stealer

Chaos

Chaos Ransomware

Chaos family

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

NTFS ADS

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-22 22:48

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-22 22:48

Reported

2025-03-22 22:53

Platform

win11-20250314-en

Max time kernel

264s

Max time network

265s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Chaos family

chaos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Azera Spoofer FN cheat,exe.url C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3920535620-1286624088-2946613906-1000\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5wxekvz45.jpg" C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871574432365374" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \Registry\User\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\NotificationData C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\images.jpg:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 4992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 4992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe

"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d360dcf8,0x7ff9d360dd04,0x7ff9d360dd10

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1480,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2088 /prefetch:11

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2060,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2056 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1416 /prefetch:13

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4192,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4212 /prefetch:9

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4672,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4704 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5192,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5172 /prefetch:14

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5428 /prefetch:14

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5276,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5448 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3532 /prefetch:14

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3520,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3472 /prefetch:14

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3480,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4516 /prefetch:14

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3348,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3532 /prefetch:14

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3528,i,1581275248115519502,15179639231555815369,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3472 /prefetch:14

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yk5tl3ey\yk5tl3ey.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES348.tmp" "c:\Users\Admin\Desktop\CSC572ADE7D74314A7F95D33F17BB3CA8A.TMP"

C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe

"C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe"

C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe

"C:\Users\Admin\AppData\Roaming\Azera Spoofer FN cheat,exe.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.106:443 ogads-pa.googleapis.com udp
GB 142.250.179.238:443 apis.google.com udp
GB 216.58.201.106:443 ogads-pa.googleapis.com tcp
GB 172.217.169.14:443 play.google.com udp
GB 172.217.169.14:443 play.google.com tcp
GB 172.217.169.14:443 play.google.com udp
GB 142.250.200.46:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.179.228:443 www.google.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 216.58.201.106:443 content-autofill.googleapis.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 172.217.169.14:443 play.google.com tcp
GB 172.217.169.14:443 play.google.com udp
GB 216.58.201.110:443 consent.google.com tcp
GB 216.58.204.78:443 encrypted-tbn0.gstatic.com tcp
GB 216.58.204.78:443 encrypted-tbn0.gstatic.com tcp
GB 216.58.204.78:443 encrypted-tbn0.gstatic.com tcp
GB 216.58.204.78:443 encrypted-tbn0.gstatic.com tcp
GB 216.58.204.78:443 encrypted-tbn0.gstatic.com udp
JP 172.217.174.99:443 beacons.gcp.gvt2.com tcp
JP 172.217.174.99:443 beacons.gcp.gvt2.com tcp
GB 142.250.187.238:443 lens.google.com tcp
GB 216.58.204.78:443 encrypted-tbn0.gstatic.com tcp

Files

memory/5972-0-0x00007FF9D7C93000-0x00007FF9D7C95000-memory.dmp

memory/5972-1-0x0000000000630000-0x00000000006BE000-memory.dmp

memory/5972-2-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

memory/5972-3-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

memory/5972-4-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

memory/5972-5-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

memory/5972-6-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

memory/5972-7-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

memory/5972-8-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 405feffb5f58e820904ac48f56cf618a
SHA1 4e59ecb80587e88b017d2828fcff2c7a3c9c1691
SHA256 4ee2b73689290fbd9e71cfd1100929e2acfe9657fda9353e55a50ad184dfb134
SHA512 680a96e293eb09ed5608faa6b9fe98487ff468c172c8e7ce23a893c86eb91b9e7941b765e5823f0918cbf6c7128e781af901383b9250d6986a6cf4d798b31c8b

\??\pipe\crashpad_4860_YBEGBTENZOGGTLRH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 a10aa86420d67146d31ecfb64fb4c474
SHA1 979e28dd37bd221d8f4d1ed2551746301469c748
SHA256 dabcf1e442a1e2195f1f2255aa0f585e318f440256cd44a0d8d814ece3eb274d
SHA512 c503764dc5dff0f845ef87dac1d806cc51efe08472fdc8068b7adaab23ef3a79a424dfa87de14d10ebf1facb5dbdea65ccb78c3448104ab4a3b77fef419e3970

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6f9786fd91d94789d38d2f479630262a
SHA1 3be60b741889d9e68a9ec11e999d0b4a7a5dd72c
SHA256 3d3c1100d1be06d5575f0126e64d1a19b90df81e35eda43a3d6de652c3a16978
SHA512 75adc24cbecc922ad62a77b7a318112cdb46183a1021f3f16696105debec251d762cc7cb12f9c29f7477d3641d81d45daa46a753eac1b131ed3d1dbf72372529

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 57bbb9d525eb2d2de2d798a3d4e09f87
SHA1 6387538fb5120a00d2cf0cb528205b971ed1f242
SHA256 f335a68ea0856acbb60d8ea44ec0110e84ea719d68cba8560b46bc0c627004e9
SHA512 6d043cb90e84ae9a0c4fa681dcafff482a38e7fc26575aa8348b55e92d1b8171ae750ea19eb2582dc1641a667d15a52cf733c24d0f72ae3164121d9aedd4382f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 ea2f634cd4721bc2faa6a5182b1c2f48
SHA1 102130eb6aa239541e62e906648456d5da3c95cd
SHA256 2c22fc5b4d912bbdbe5c91cf86cf43b64c9a00a3edeed84bec1fe0f88b8db34e
SHA512 546b3ceca32d2f7752fc1a734aa60c4246db4cf7c0d7104feabf71ebf3c4f3f8c65624cccbdcf8b529745048de88b79a8eeea27e590276f111d8a0da6c6a3c00

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

MD5 e8518e1e0da2abd8a5d7f28760858c87
SHA1 d29d89b8a11ed64e67cbf726e2207f58bc87eead
SHA256 8b2c561b597399246b97f4f8d602f0354a979cbe4eea435d9dc65539f49cea64
SHA512 1c15b65bd6b998254cc6f3cbef179c266663f7b1c842229f79ff31ba30043837c398d85296fb20d3a576d9331fee9483ca0cbd06270da2d6db009bc454aee0c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 521a02640e27924b4b43195dec9d5b9b
SHA1 0b74b0cb821885a78167ecd4abb9d167e4e3b977
SHA256 4e7ed61b09a6b393c8d0bec1a4cf11ddaad853da7cb28416174d8172c7843784
SHA512 0f20d150e19dbba8ce3427b8825c9e65dbbc7048158cbf1c8c57c2d923a0e196b0e7c9b7af285e1afabd8297ded2227483abf2ca53a56daf99bd280af8ed8a9a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591534.TMP

MD5 8a91b081b90ef613bbe10c70fe13e896
SHA1 dfb7395f319a364428c9628b26922ac7d1050c7c
SHA256 5b83a740d2535e7b9f6c4a472af380b12b3d478510415c8e8c5c915ad7451ab3
SHA512 363ec53afdb0db45fc4782f523b792387a4b32ff4175430a0684cb2176ed654e7715ed998b590dcf616a49745c9eb0e917192854d50532d1607a6f4c4c01be06

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

MD5 4c39abfb5ceae6da40a9c748d90e81f3
SHA1 c9a3164b7d6765ceac66937090c80728686d8d6e
SHA256 e7f22cdc5ad2998945d0ad946c0946392da72377193bae638a3a46ba0d6f4b92
SHA512 2a0b8edbe787bee407742e2c6153df22bb7f80c237a3939fd22413dbac157cc17af9f8cda04b48d91b5dfd37477b8e3f923d5a67573f6c5c67f52fba7a8021dc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5cc8942d196c67f93472006421ec945a
SHA1 4df4e473679fe9e0ca715dbfd62c0b54af15fffd
SHA256 a99bc15a3016f385dba4c85cf6982f84babb9f2abb56f282a5f51452bbf04a99
SHA512 0c4bedb081365f918feafe01ac867aaf9da33b1644fea787416795d471ed095f34df456d37850447c33d4508e083222076d7ecb2510e43fd54dcefa08bacc904

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 760136b7d8ef7e9fd8f608dba55b5194
SHA1 1de5147b0b703e03d5f05356e66c6935064f5b9f
SHA256 c4b40ac579c064c70a5b2c572e374461215faaf085555668d06653267fc97c62
SHA512 28f1c4bbc04f8f636e28d3d6c0f9515a87d538c6e721f1f37050da06afea328f092215e88f25c75b4583bc7d8a8ee2387c3fa1870c06eaf0ce55732623ead28f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

MD5 f19e8c212994acc0edc8c82ff01306d4
SHA1 269dfd4b546fb768269f481edf6d1685440384d3
SHA256 d0942ab5e215cdc9b83e6250edb8f9a74b6919caa5011d44322a875c4a6d8a5d
SHA512 ff8c5129869dd3ea0c49ae60b72dbd02d587c55c845d1b8edb80116fd23f75a67a6ee6f5f60d6a4f25fab654d86e11ac7c93a27aee775094c4068691a4dc4a8d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e66cc5d24bdb62f9680660fe8ba5d768
SHA1 de4723cadd227786defd2f769d464707aae793d9
SHA256 8c05c53bbda28720982ba6a216b826a614ee2dcfb3baec6b534d900f98cda0ad
SHA512 b30c7a768324f9fbc783fcadfef6dfbff7f06f58e5d13b11258f08cf794e902fd5ba8746ef632521e92c94d28e54f5184ad39f97edc012344282ae42927c3c7e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 356722f21239de28753c0795aa4111c6
SHA1 3da363b106c6729c7c345791a16e3a075ac45a27
SHA256 88877e069e9ff031d6f3d6d9beeef68a4d426a0893a49174811047a94948f66f
SHA512 4a8d3085e5075e5873db8fb0b45e1e5fe6f14ffefd7c953c096e84116505d98f0d0998c9325f079bb0ae3b4de291dcc4285bca22e0897e07a20399ee0fc34053

C:\Users\Admin\Downloads\images.jpg:Zone.Identifier

MD5 bbac3c7a2285a2f37c23a092685a8671
SHA1 fd84b75347bb429cfeeadd1461c29520b4770020
SHA256 aa614c815dace73abdc468c8ca33dce8157809603b7821af4974dfacdc916386
SHA512 c6d45e56ee1d63c2ef74790bb8c9339577b9e8fd8a25daf14cb54bb384e3c8bab1481134a24259615e8fb8b8dd1fbe0a072f0e443fc06978add6899cf51966d5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d9e785ba8dd34aee549168c18babb4f5
SHA1 25aee125cb36b48c1b823d38b0d67e32f2a60e60
SHA256 1582202e8ddff7f74e8e6a5acdc927fa10e87804b4d5deba06c7b20345c84cda
SHA512 10ad5253660ca15c3d8c86f0b7008ee73df65a75a504b07c5801872018fb0698be4f074cecf08177b9b1bb34e2e8d7f2143a295d91c447b6d122283ddf390f85

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b48c1e3d5dfc896e2570e3e6bd30e70e
SHA1 cb85b0e0e7e37eac04679d830dfa3d542dcc31fc
SHA256 889f9dfe859f8db1f8400f15aad65568d4adc26443ff7032b6904094929e430e
SHA512 d818627a96801ac65ea3424b702b16bbba232d8eaed346e57485e4e5f6b025a49183e71174fed3bc0e867d33772f66a80fbb672f26f9d93bd07d8b62fda5a2f8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f604ec131961fac0f4a8b3c1a4d9b886
SHA1 9e306cce55c69be6c2ec6e87da3425d3be25a9fa
SHA256 3013836d07b8d83a00a30b81bd02e1482a82049599f5db5f6572b7c5b494f749
SHA512 c69ce2c643df3c4ff2c3c004b9c4c731dff9bbea14d29c5618d435ca77a0cf7a1477d8564453e8f56b8c7f6cdd4b1eea7c4d545ac0e56e1614be9fe7e951cccf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9c778c6c50cf7d5622569d00bb716b14
SHA1 747bdf8a9df05f38cb9506bc6a1caffc407f9fe9
SHA256 bc0f76c7b35610f1e3daa9452bad25c0e6e7d977c99bb0edf2c1ab3ada10f344
SHA512 bce4832f3065a5aac17f9c1fbec53d50a6fb3b1ec70637edf954b7a2c6e135c150815b94e9cd96c5bf53bb40183277ee30a6457774b4aaf980edb695141084c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 e5b6f1d2f1ef6b2758618dc5d0f25531
SHA1 4defd1cef9836e4a39c5dabd46a5220264663328
SHA256 4c90b181f1f7c0cd3bebf0ac29e74a549424229fb9dfa288b07ec36321e52ec8
SHA512 93befe522444b800c04dc612f95db37544c973061791fb89b942ad722eb0524af719205ed0ee2f552d9543e1ad277bc89b067631998aafff6d75cf04543362aa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

MD5 698a357617a761582437afeebcbaf3dc
SHA1 ba2422e516051d4b93705975c82d9216ebda20d9
SHA256 953833ed647efb53db56233ec5d18cbbdb34254ab1873467c25e5cc5a50c4b9c
SHA512 cbdb38df6b30cf679079a729dc3ff7122a52d47fb494b3612669ca31661748ca00f78430fb7be3af41f202b47fc1adcad285621312d555a26b871895a6ddf944

C:\Users\Admin\Downloads\images.jpg

MD5 e094def66211b57630582dfbcdaf1e49
SHA1 5928db04de34fb2f2219746e3fdac94f15ee18f2
SHA256 a790aaed25c0b28dac9c789b6324fa0586a89995532d02e827ed35f94f92d18b
SHA512 884bcbf70967eb113bc1d3edcbf52eca7b0fdac83c2e8dfdbf0267c50e807d84f48e5d6b74ad1ee98467802016f462ee1bf72cec0d04b576918372d30c6d84b9

\??\c:\Users\Admin\AppData\Local\Temp\yk5tl3ey\yk5tl3ey.cmdline

MD5 246593be7ea833941fc8f204930bad13
SHA1 10c3f3294834731e1c495786290cbce1c8e20534
SHA256 4c5d5cb35125c6848de2fb0e68104fecbd07a03a369590310a724c1abbce77df
SHA512 5c354130d5e992adec1febaed07cacc283a94a278ead340398755c64f4e9e94ac381525d6a65589873d568626981c0f55be3f08c366534e07e4b4b6d0f9eb970

\??\c:\Users\Admin\AppData\Local\Temp\yk5tl3ey\yk5tl3ey.0.cs

MD5 387509d4dd359da7aaf8bd96199ce89a
SHA1 91232b9593921e59dafc47ead80412d4a751a54d
SHA256 31baa2e963593e4f4350e368308cd2b045e8bc09d9a806d0a03aef54d547c01c
SHA512 713b30e54e5658a0217aaeb71105fb3d08cd92da816fd3f393c0b723f2ae984ad1f2860b6dab20f8e51a43e9ef07cac71fa1d981259cfc7f6bde52d0d5b11c2b

C:\Users\Admin\AppData\Local\Temp\RES348.tmp

MD5 ad671303e9686ae7e3a2f356926a8e5d
SHA1 3ba4a44cafc2be4ab98719e44f0f2a134e8bc70b
SHA256 dfb2c5d499b98924e9f0925773c0baf0a55218835bae7aae4c6b4413bda2bbec
SHA512 0ac5e19e1f9c241cc919b47673f7909389c9fc66afba4b1363f502a52f5c8f3ecfbde293c2de6517593bf23bd261d54760779366677f2a1b55d1a68af22593f6

\??\c:\Users\Admin\Desktop\CSC572ADE7D74314A7F95D33F17BB3CA8A.TMP

MD5 c5458e46a7b994788ea4fd37c438fa21
SHA1 a5e04d4d3a9a8473f19bebd4eb96ead671cb9d54
SHA256 d7d5eedbdf8dfc851c86d95db391a698b342276fac9962de924a1e4e47c67525
SHA512 50de1a5b12b35e268bd737af751be7536da67260546f2db8a80bac9d05eab72069d6c48eaceb746bac1071132c2fc2ccc5a8869b67d6c59c7867eac2505c0793

memory/5972-520-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp

C:\Users\Admin\Desktop\Azera Spoofer FN cheat.exe

MD5 edac1774e55bb4b063b65d5aea3a0fd5
SHA1 49fb36fe7010984ec3adac3cec5352fbb0cbac82
SHA256 7b6bfdfe094c122531fc1bbed9849bbc53925c4f9e8d75593f23ad0e4573f925
SHA512 442bc8333c3550088f2885f78939d719677f6b41f8cf7206f96511dcbc032b4e9df5969ab5078b7b1aa0354950eca97fb1399220b4ed87b3a570cc5f49bd136f

memory/784-523-0x00000000009C0000-0x00000000009D0000-memory.dmp

C:\Users\Admin\Desktop\read_it.txt

MD5 4217b8b83ce3c3f70029a056546f8fd0
SHA1 487cdb5733d073a0427418888e8f7070fe782a03
SHA256 7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA512 2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

C:\Users\Admin\AppData\Roaming\sdf.txt

MD5 855a5d48f0d24820e985970e6f6ca618
SHA1 b2e7613edff481a3922151108be8e9a1f9120aaa
SHA256 b1a55104c8e691a13528691314619b65aa265d0f03488628805b336ab081852b
SHA512 54b5402a75883c436e81595e07811ef9b483b56b5081e749271bdf1dc8fb34675a2967c02118233d21a4791c994c3d5cd2eca987eea545b30808d70973ff0dfd