hxxp://oxy[.]name/d/eKTf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
06/08/2023, 11:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://oxy.name/d/eKTf

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133357959426368496"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2916	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
2536	chrome.exe
2536	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4460	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeRestorePrivilege	4460	7zFM.exe
Token: 35	4460	7zFM.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe
4460	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 168	3704	chrome.exe	70
PID 3704 wrote to memory of 168	3704	chrome.exe	70
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4916	3704	chrome.exe	76
PID 3704 wrote to memory of 4104	3704	chrome.exe	72
PID 3704 wrote to memory of 4104	3704	chrome.exe	72
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73
PID 3704 wrote to memory of 5096	3704	chrome.exe	73

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://oxy.name/d/eKTf
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdf8719758,0x7ffdf8719768,0x7ffdf8719778
  2⤵
  PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2664 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2644 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:2
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4500 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3496 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4896 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5108 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4912 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5132 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5236 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3840 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4936 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3100 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5844 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 --field-trial-handle=1728,i,4497895441656263846,1327201752122593956,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3384

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\nl gui.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4460
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\7zOC612F6BA\museosanscyrl-300.ttf
  2⤵
  PID:424
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\7zOC612129A\ProggyTiny.ttf
  2⤵
  PID:4884
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\7zOC61B13EA\Cousine-Regular.ttf
  2⤵
  PID:1528
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\7zOC61092FA\DroidSans.ttf
  2⤵
  PID:1392
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\7zOC616BEFA\Karla-Regular.ttf
  2⤵
  PID:4016
- C:\Windows\System32\fontview.exe
  "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\7zOC61256DA\Roboto-Medium.ttf
  2⤵
  PID:2776
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC619C20B\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
901a8a90c90d464b4eb9a12ba9f0303a

SHA1
448b9e22026e24ab959c814df988e305103b4754

SHA256
e0fa6fef439189f682a19986cf7154e84063aa7d65c452b6e0a0e752dce83bc9

SHA512
a380f6f092a9ed561aae921e927dae50d9e45771980f5f4f977c9cde481c04a9b39fec9d678afe1319f40b9f87a59cd865f75d7739db0bcef2467ca7af3a6e5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
9c9cfff33dd1735b66eeb1160b2218f9

SHA1
f1bb63dc6eece8b85a76b987bb187712a1f2b833

SHA256
69cdd9eb986d7a299faeeb4f1703bc81a66b8ce28f60a4cfba0fefe8a92316cf

SHA512
f06c395420eb9390f0361505a93653d9b3bb3b7bf948fc8dae7b637a09cd71b656501a124564fe70d348334c1be23d3f70ee850515ca39ff7c3611ab5c3462bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
08e83f74fb6fd46d99607a6438acfdd1

SHA1
b6fd0fbc26c24fe66acc72068bd04a6ff7285cf0

SHA256
9890819ab0407967a6d1932ca00e3ae3e599fcd55ff30076cb4cf9aae7d77fc0

SHA512
58596d04532cf5912daa6e433d15d5861002238fac4db49a6505d909fb2f2aa73eeb36f65f7dde9c69351a6db9da667c2a8151230881e7064472c46e9882d2ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
72bb177a1f138cf3ff3c952d7bc2b99d

SHA1
65c2430e833792e2ab386e709da624acc18d6ef2

SHA256
99f422765943f85e55ca5138e60d143ed907d2fa7be35634596360a6b53f220d

SHA512
138169118cafbe5075cf1727f18f7d6d0702751c12654e5a3704423ddfe23d3effdaf49b69b65f63145ff15866990640c1a4d68519e7e22bab4ffeccd3628545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
878134226156504b1fd44e1423caa1ea

SHA1
e372aa4f07e1b59d4c0d5a6cfd0094acf57109dc

SHA256
bf06dda1a98bde98afe1abb565ab9e00c4187d4cf6bf1b03c8da79729d74995f

SHA512
cc38126a6a03066d540de25a59e0c6f212c8c7191eaeaf619d8f48ee62c4085a96a463b0079e2c7a7c86cbe9c5480994c560b44eb8179bfd91c3efe6c0c97cf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
0a9c04cf8421dbb9fa27992dc7655358

SHA1
3b89deb248d604e978a55c31740e5f23f023f9d4

SHA256
0b675ad64c0fb862f9c67eaeb4bc3c50df4f36adcc0b1c50582945bdae818e14

SHA512
191c5bb098154876a4f55c94ff60321d088ea79f09df2ef96e8889f88323863c43c88015f0ca84768b5818ca8a1eeab581c1b558c21351b8b7cf7ee15ef7104f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
7fd286a636113d3bcfb5cc94e6e09dd4

SHA1
e4be818eefa68e965d12bb47d57a43c1e8374866

SHA256
7bc509696439b40248d8d19d9c273bff15e6089f4aca05d1548322aba50af0fd

SHA512
b2ae40201f469903c390be9366c8f6ca71f33a25cecf889bd6e3482bf418d257776ff2d25f508bec5255de361e394990ec6a6c0ed9ee670ce16aee604fc34893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59f3dc.TMP

Filesize
98KB

MD5
c17c31c977196183111b38c3c1905fc8

SHA1
f521fec5e338d30960b1fb48716b18198b2d9f36

SHA256
0b94b1dc0dc7de8c26cfedd5b22062e5cf986ea3587d032a6a75798ae7a731a3

SHA512
78c661b0931410fedd43cb0f5c12de3ae3f7c2e4e527de2e8929486b118b6ea3d95c8f3e20d2cd9d45b8ffa5e46c39aad606a35f4f69774bddfd961653bf6379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC61092FA\DroidSans.ttf

Filesize
185KB

MD5
9d83fb20700a3a7c45dc9acd64ab121e

SHA1
da5b3c7758a2c8fbc4775beb69d7150493c7d312

SHA256
4e2371bc0e4cf6983342e150412f140da79d674c9be0b56458401f581072ecd3

SHA512
d7b4bc364a17179f3bfa306af42e33f3c4645bd84a49fb72b255efb8a066518e7dfc003c7dd179655d1b87a7c9512e41abd054fc0f02c322eaef42209fdfbf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC612129A\ProggyTiny.ttf

Filesize
34KB

MD5
6eec1497b5b2f7ca96910039dced6ac4

SHA1
c5ee3a408981e5bbe7a5646b3c11816339b61cac

SHA256
79bf8d3896ba83ae2f9c4fa214dce8fc689eae47950474947a4cc5c6e14a9bfc

SHA512
0b23596b137647716d92019b56cf1d564b160377061d7a442839e3e8af2ba4deb00c76ed75402d2d980f7588e45f64a27fb72528fa0604c82d85df91ce9a0496

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC61256DA\Roboto-Medium.ttf

Filesize
158KB

MD5
fe13e4170719c2fc586501e777bde143

SHA1
08bab5b1ab478e8af2279b613d3a32636b85cc65

SHA256
8559132c89ad51d8a2ba5b171887a44a7ba93776e205f553573de228e64b45f8

SHA512
c62dc07831278e29213c05d93439aacf7da7b741fc572c28851f9d392380c6d802e3147a388c4d7a3a0f359306e50cefc4b4e2b0b98b9235c73cb699bd6fd218

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC612F6BA\museosanscyrl-300.ttf

Filesize
126KB

MD5
c2e5987ab95e9df93393619a6eac8dea

SHA1
f3c36bae1cb2b9575ca094bd500ed3fd25e6d536

SHA256
5d85065052d7be514682a881888a36a2da0f6ee37184b909c17b54dd2a0644c7

SHA512
3383dae42a8bb8fff06a0f7b0aae87a58a5a46384c6dfc44be72a89353731f76edfa4db4afef985198c196eb84f0144df99357a08429abe2e7bde837de6caf76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC616BEFA\Karla-Regular.ttf

Filesize
16KB

MD5
b923ce07bd8c6d8c02f163460d4428ca

SHA1
81c645a5bb59f327489ed86c48cc18b7f780a0a4

SHA256
907c55a993e35b3ae4f3b8b8c28367f4b6d431df8e9ca6fbd382d8317dd3684e

SHA512
c8ed55f13d89c501c7e87f841bd388512171e6b73bccba01d09f91fada430e9748dcf9a6cf9314c909ba487caa3bf5918269760bd4614d4ccc22983a281f1fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC619C20B\README.txt

Filesize
998B

MD5
1602fe2f469b383ec478463d949d9a82

SHA1
3da7de2de41f8bc97de6fcd9cbb657810800a859

SHA256
c00e156900bcd0db58bfaee14027dd69fcc33c3cce7533b546fdc00dcc9e58dc

SHA512
e7512fcba0b111bdce3a55e1a2ca4eb809c06411ebe4d4d8c9231b42deee2e765f6ae108cd789b67a50de89c575f1ed250457dde7198a2f8a8472d7137fcaff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC61B13EA\Cousine-Regular.ttf

Filesize
42KB

MD5
0df40da32257f8430af90e514e5bdfe2

SHA1
1bbd6022d85dc8b5e51f2ccaf678528bcb1bedda

SHA256
0d5d5eeb6a342432bd63a3c0d16e8470160e019933ee5af3e159d06d665dacce

SHA512
cb870652a8ef21fffd1713874ca8ae913cbca640e610bca4a5bfc91190ca9ff091a7712e5e102615969d08345591faa39476fd745dfa2a55cea52933accea72d

Download Submit
C:\Users\Admin\Downloads\nl gui.rar

Filesize
44.0MB

MD5
e1b17e3c1d11eb7b39a7ad613440c24e

SHA1
6aec5aee09fa79b8188563d37f3e7c8f21da10e4

SHA256
2a07bd543f7c5602f5a67a6d05bc31dcf4d8815f36d5cd2be268b083c9c0c82c

SHA512
7198a7d98d71d99646613f72d09bc3ab631351264ce2a97e24e4bef72489b4e4a2020452c2ea533fb1103acbb51bb68cd60a5a04e52abc0b84a75489ac45e621

Download Submit
C:\Users\Admin\Downloads\nl gui.rar.crdownload

Filesize
44.0MB

MD5
e1b17e3c1d11eb7b39a7ad613440c24e

SHA1
6aec5aee09fa79b8188563d37f3e7c8f21da10e4

SHA256
2a07bd543f7c5602f5a67a6d05bc31dcf4d8815f36d5cd2be268b083c9c0c82c

SHA512
7198a7d98d71d99646613f72d09bc3ab631351264ce2a97e24e4bef72489b4e4a2020452c2ea533fb1103acbb51bb68cd60a5a04e52abc0b84a75489ac45e621

Download Submit