Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/08/2024, 07:25
Behavioral task
behavioral1
Sample
FridayBoycrazyV2.exe
Resource
win11-20240802-en
General
-
Target
FridayBoycrazyV2.exe
-
Size
280KB
-
MD5
41e34a8240026b4e9cd8d81a73ee8b2c
-
SHA1
3876b12e152dd552a7059538242b6f87a23e60f5
-
SHA256
0ef2768bdfaa0b953a5c498f18bbf2df5dce249eaf2044474c476c4367c535b5
-
SHA512
a7d610ee4f116121757f47193bf092b639cf2d439dcfa364ea800c28c0f21996fd8baa31c9abe68d2c18cc8f334c57f9d71c4e444a04a27d3b9cab90eecbba73
-
SSDEEP
6144:1r93iyJ7/+WZT1kRnSeXSX9MNzxiMwP2OswK:iyJ7/+Wd1kRnFX4mNzxyeOswK
Malware Config
Extracted
C:\Users\Admin\Documents\Warning.txt
https://www.roblox.com/game-pass/887175972
https://venmo.com/u/gratefulcode
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/1064-0-0x0000000000210000-0x000000000025C000-memory.dmp family_chaos behavioral1/files/0x000300000002aa35-6.dat family_chaos -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3352 bcdedit.exe 4888 bcdedit.exe -
pid Process 3636 wbadmin.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FridayBoycrazy.url FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini FridayBoycrazy.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Warning.txt FridayBoycrazy.exe -
Executes dropped EXE 1 IoCs
pid Process 3572 FridayBoycrazy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Documents\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Public\Desktop\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Public\Pictures\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Public\Music\desktop.ini FridayBoycrazy.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2227988167-2813779459-4240799794-1000\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Links\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Searches\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Public\Documents\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Public\Videos\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Music\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\Videos\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini FridayBoycrazy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini FridayBoycrazy.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4sik1y7y4.jpg" FridayBoycrazy.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4460 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675756138929825" chrome.exe -
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\篠䀐dz\ = "goxp_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\.goxp\ = "goxp_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\goxp_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\\ = "goxp_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\goxp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings FridayBoycrazy.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\횶ꈞ刀耀篠䀐dz OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\횶ꈞ刀耀篠䀐dz\ = "goxp_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\篠䀐dz OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\goxp_auto_file\shell\Read OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\goxp_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\goxp_auto_file\shell\Read\command OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{18B39E0D-9D2C-40F6-BB92-FCC963F77D05} chrome.exe Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\.goxp OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1204 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3572 FridayBoycrazy.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 1064 FridayBoycrazyV2.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 3572 FridayBoycrazy.exe 2764 chrome.exe 2764 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5820 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1064 FridayBoycrazyV2.exe Token: SeDebugPrivilege 3572 FridayBoycrazy.exe Token: SeBackupPrivilege 2272 vssvc.exe Token: SeRestorePrivilege 2272 vssvc.exe Token: SeAuditPrivilege 2272 vssvc.exe Token: SeIncreaseQuotaPrivilege 3384 WMIC.exe Token: SeSecurityPrivilege 3384 WMIC.exe Token: SeTakeOwnershipPrivilege 3384 WMIC.exe Token: SeLoadDriverPrivilege 3384 WMIC.exe Token: SeSystemProfilePrivilege 3384 WMIC.exe Token: SeSystemtimePrivilege 3384 WMIC.exe Token: SeProfSingleProcessPrivilege 3384 WMIC.exe Token: SeIncBasePriorityPrivilege 3384 WMIC.exe Token: SeCreatePagefilePrivilege 3384 WMIC.exe Token: SeBackupPrivilege 3384 WMIC.exe Token: SeRestorePrivilege 3384 WMIC.exe Token: SeShutdownPrivilege 3384 WMIC.exe Token: SeDebugPrivilege 3384 WMIC.exe Token: SeSystemEnvironmentPrivilege 3384 WMIC.exe Token: SeRemoteShutdownPrivilege 3384 WMIC.exe Token: SeUndockPrivilege 3384 WMIC.exe Token: SeManageVolumePrivilege 3384 WMIC.exe Token: 33 3384 WMIC.exe Token: 34 3384 WMIC.exe Token: 35 3384 WMIC.exe Token: 36 3384 WMIC.exe Token: SeIncreaseQuotaPrivilege 3384 WMIC.exe Token: SeSecurityPrivilege 3384 WMIC.exe Token: SeTakeOwnershipPrivilege 3384 WMIC.exe Token: SeLoadDriverPrivilege 3384 WMIC.exe Token: SeSystemProfilePrivilege 3384 WMIC.exe Token: SeSystemtimePrivilege 3384 WMIC.exe Token: SeProfSingleProcessPrivilege 3384 WMIC.exe Token: SeIncBasePriorityPrivilege 3384 WMIC.exe Token: SeCreatePagefilePrivilege 3384 WMIC.exe Token: SeBackupPrivilege 3384 WMIC.exe Token: SeRestorePrivilege 3384 WMIC.exe Token: SeShutdownPrivilege 3384 WMIC.exe Token: SeDebugPrivilege 3384 WMIC.exe Token: SeSystemEnvironmentPrivilege 3384 WMIC.exe Token: SeRemoteShutdownPrivilege 3384 WMIC.exe Token: SeUndockPrivilege 3384 WMIC.exe Token: SeManageVolumePrivilege 3384 WMIC.exe Token: 33 3384 WMIC.exe Token: 34 3384 WMIC.exe Token: 35 3384 WMIC.exe Token: 36 3384 WMIC.exe Token: SeBackupPrivilege 2800 wbengine.exe Token: SeRestorePrivilege 2800 wbengine.exe Token: SeSecurityPrivilege 2800 wbengine.exe Token: SeShutdownPrivilege 2764 chrome.exe Token: SeCreatePagefilePrivilege 2764 chrome.exe Token: SeShutdownPrivilege 2764 chrome.exe Token: SeCreatePagefilePrivilege 2764 chrome.exe Token: SeShutdownPrivilege 2764 chrome.exe Token: SeCreatePagefilePrivilege 2764 chrome.exe Token: SeShutdownPrivilege 2764 chrome.exe Token: SeCreatePagefilePrivilege 2764 chrome.exe Token: SeShutdownPrivilege 2764 chrome.exe Token: SeCreatePagefilePrivilege 2764 chrome.exe Token: SeShutdownPrivilege 2764 chrome.exe Token: SeCreatePagefilePrivilege 2764 chrome.exe Token: SeShutdownPrivilege 2764 chrome.exe Token: SeCreatePagefilePrivilege 2764 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 4416 MiniSearchHost.exe 5820 OpenWith.exe 5820 OpenWith.exe 5820 OpenWith.exe 5820 OpenWith.exe 5820 OpenWith.exe 5820 OpenWith.exe 5820 OpenWith.exe 5820 OpenWith.exe 5820 OpenWith.exe 5820 OpenWith.exe 5820 OpenWith.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 736 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 3572 1064 FridayBoycrazyV2.exe 82 PID 1064 wrote to memory of 3572 1064 FridayBoycrazyV2.exe 82 PID 3572 wrote to memory of 1716 3572 FridayBoycrazy.exe 84 PID 3572 wrote to memory of 1716 3572 FridayBoycrazy.exe 84 PID 1716 wrote to memory of 4460 1716 cmd.exe 86 PID 1716 wrote to memory of 4460 1716 cmd.exe 86 PID 1716 wrote to memory of 3384 1716 cmd.exe 89 PID 1716 wrote to memory of 3384 1716 cmd.exe 89 PID 3572 wrote to memory of 3844 3572 FridayBoycrazy.exe 91 PID 3572 wrote to memory of 3844 3572 FridayBoycrazy.exe 91 PID 3844 wrote to memory of 3352 3844 cmd.exe 93 PID 3844 wrote to memory of 3352 3844 cmd.exe 93 PID 3844 wrote to memory of 4888 3844 cmd.exe 94 PID 3844 wrote to memory of 4888 3844 cmd.exe 94 PID 3572 wrote to memory of 956 3572 FridayBoycrazy.exe 95 PID 3572 wrote to memory of 956 3572 FridayBoycrazy.exe 95 PID 956 wrote to memory of 3636 956 cmd.exe 97 PID 956 wrote to memory of 3636 956 cmd.exe 97 PID 3572 wrote to memory of 1204 3572 FridayBoycrazy.exe 101 PID 3572 wrote to memory of 1204 3572 FridayBoycrazy.exe 101 PID 2764 wrote to memory of 3184 2764 chrome.exe 110 PID 2764 wrote to memory of 3184 2764 chrome.exe 110 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 3848 2764 chrome.exe 111 PID 2764 wrote to memory of 2908 2764 chrome.exe 112 PID 2764 wrote to memory of 2908 2764 chrome.exe 112 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 PID 2764 wrote to memory of 2932 2764 chrome.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FridayBoycrazyV2.exe"C:\Users\Admin\AppData\Local\Temp\FridayBoycrazyV2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe"C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4460
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3352
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3636
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Warning.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1204
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3644
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3248
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4416
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9e23cc40,0x7ffa9e23cc4c,0x7ffa9e23cc582⤵PID:3184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:3848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1800,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2076 /prefetch:32⤵PID:2908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2208 /prefetch:82⤵PID:2932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:4512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3524,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4412 /prefetch:12⤵PID:4524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4720 /prefetch:82⤵PID:3936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:82⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4868,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4964 /prefetch:12⤵PID:3836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3396,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:4412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3300,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4604 /prefetch:82⤵PID:2788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5492,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5500 /prefetch:82⤵
- Modifies registry class
PID:5380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4552,i,1238368743721880126,8147396218933799070,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4292 /prefetch:82⤵PID:5848
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2132
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004CC1⤵PID:5176
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5820 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk.goxp"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5892 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D0282D30636CDFC00C5E231BBC4B4D4E --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:5232
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5CD5D6C07DCF1D81738633D05EC0A7F9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5CD5D6C07DCF1D81738633D05EC0A7F9 --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:5228
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F674DA999F16B19F50B1516CFBA062CD --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:5592
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DB64E8AC2E2262C9CC87525EEC7B03F3 --mojo-platform-channel-handle=2452 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:5648
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B5702FF6E762DD7253909E9CFABB528F --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4588
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5572
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:6056
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528B
MD5af8233ca345864a7f144154a1d9ce6c5
SHA1c2c5e24b4e97ee3b6f913fc92e0979d0845cfd48
SHA256c742eb0a7bd4564ff10da293241bb09036c61a284c27402a18bcefc55c3c879b
SHA512f5c173594a5ff93f908516924133c745eed22461b7e9bf3b340b8774a1a93cb92eff2f96f578cb96aa4a07a572f8aba1bd080f41dedb85a337a8c0d8cf839f90
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\9bca5f92-54ab-4b34-8f95-7951ae959338.tmp
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
4KB
MD5bb62f8b6006e13793948edfb464035fe
SHA17cc07f7cc61bfc3e90f9ff5502cf64aaa9cf382c
SHA25640bb77deedc3d866be1b767775315a43349da5cccd7b5e2724421f3dd0ae0e2a
SHA512e4d1aacbc37362e435cde1c86dfbf88e57af0bd5d3775f494fc6597ed53dd4c3d207d5617b2d8596e5b381e4ac43692acee59fa84d02a98c94694c49d787892a
-
Filesize
859B
MD5c230bf3f5ef661ef4f02b84a2720a590
SHA1e44e7be5ece9724fea2cbcdd7e44b18dffb7f69c
SHA2561175cacca4eb31d3cd75b7e74b95148602602a2120fe7bda5ab451d2dc214934
SHA51245468ca069a8b0a49a1c4f1c8df64a2170f77f9dddf636d4faa597190263d613f48e34cae7b3f79b8649399e3c797c942bb6aec3d3aefb89c61d965313ed64bf
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
9KB
MD5cb3961fd40b7357bb8487c7daa5c5a39
SHA1abf7eaf6447f24be175eb41cc57bcd646157caef
SHA25623a3fc20976a57e286a2d2186b7c4fb416027311c6580119e66201894e4a5cee
SHA512e6a7db59b1e22413c8f4c203c51efd332978359a7b6b2406212ff4534dfa4bb3405d9ea3566aea2f8d61be93a0bfe7929cb83514a94a97751cd342614ac2cba9
-
Filesize
10KB
MD5dd66791f87c114a9a96d8d193d51e306
SHA13b92b87b4fc08962650667243735f76e060086e2
SHA2562cedcd29d9eee936db8f72f203c969e21a63aec7f008255798e3632a0f7bdbc9
SHA51223c13e251c48672cbec0efcc14775e7ffbe0fde8493dbf0ec2079fbd6bad6497c9902b4deac5468d5ef2c18270787a0a816470a0e4097c00f2f0adb02587227d
-
Filesize
15KB
MD5e0183f0bc180ec4ed6e93196f520719b
SHA1adebdb445dbc6674c1ad55d21146b17bfc75cf5c
SHA256d780fe8874a7f19847f4753639560910509c92d06406418e378008d39e43f170
SHA512c5bdba96f239cf2bb1069b57e2b95663c519a9e463263611d498b80feead8fbdb33dd11a047d57282a409bc4601ce69f8d7e48c4e9288fa5e52784a92a54dacf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80c69d5b-48cc-4d87-b7db-21247cec888b\index-dir\the-real-index
Filesize2KB
MD5a9cb1c70cb99012b243921319cbecdef
SHA146241f199a96f9755f813ffaefab48e5d4b704d2
SHA256cf0bc82216b95d4a38be9fe37d4cfd3ada4f1d8cf63588ee6e3254d4cc8bc097
SHA51241c702a036fca2c1c73055aafea139356ef4fc311962b1cc775218a28917666a9a92332a7570572d636a4392e6cfe84c693e5c594f600b620ac1be867a730ad8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80c69d5b-48cc-4d87-b7db-21247cec888b\index-dir\the-real-index~RFe586dd8.TMP
Filesize48B
MD5fd1ed9102bf16a9b375e82c58107dd24
SHA167d4878388d8e748848f648caae007e9e81833f3
SHA25600b32eb295356763c64c26f0630652100f62b0847b5a218a4f2980ba797491fe
SHA512322c689155e342a2d8420b1f785d2f84d87e783daf2e52acd39a86a58dc1c35810893c1d1ec5fe16ccc603e11aa51cc5b212f39ab9410a213a9e35466a9d77f7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize176B
MD5f4d41c438feae258c7d302a598a6122c
SHA13d0130ac20167c414e223f143728de946eb7664e
SHA2565be941b96d1450e470f6c7319a9b54268f5378b211f539b2480e6e9185eaa871
SHA512d0f79d654d1387450d52abd410086b6e0edeaa2ba7000a5fbbebf42eafac53bbb1bd987c5a01b2407637a0fc9f78cb9d7d76b9c2fd67df3441766404f13e7885
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize112B
MD5c0e26d32834250f7bc5ceac0f1046874
SHA14e5513b7946cf59451127af0252d5651e6cc22fe
SHA2560e1622aeb4f6333fecf00236b2032b08e22aa54f7dd886f3f5942f6d48478efe
SHA512460630c09ada4080ca27396fd0f58c5163681d3f1cb990ff05f736d183279f48787793d07072006e023cc63e51952be2cb5fc3fc62919778048931f19b6eaeb6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize114B
MD5335e6489ee65d309f6304a84c3c8605e
SHA1d8ee9ab0a5c6d0581f13a837d350e44bf95095aa
SHA256a2954ffe752fa5b6c4130071e115cbd1936a958883e8579cf693aef84e6ae6e5
SHA512c52771f05684a68b5fa9065abe39e258a0dcf3008bc0a8f6791ef2471e100bc66969a0fdf08bb8e75d42ad17bb137ee60b77a8fc1d976cb36e16739508037cf5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58625f.TMP
Filesize119B
MD5d80fa7c1048f5e1ecc08da7380bf306b
SHA14c0c5021ad0519b4018bc6615761a8a10c5b569c
SHA256ae0894311b01572b97425895a274e9bd1b0e143dfc7c87c7cd40955b149ddb99
SHA512fcd73051ba27cb0fd90cab2f94fa453f8980cb7ca1e15a0f1658718f5e0ff6ebde5dd0141e6b181e1de18e71649ad345aca5c17cead66519a44cf77d0e6d5dc0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5653d4c35cc79befc4d966b9efffafd05
SHA12cfe26187602ee77c811dd0edeab7258abe1dd1c
SHA25618f68d5225a8fdbce28a33713637ad4c5aa0c44cdcc1305452681d1b68b3e04a
SHA5120398b5b2c867ef77ab0efbb04e5224f88714aa25a442e1885a951e58001b4bebfd67207a4bf2f86d56d7ec1de48b0300f5fb4089198d72c2e72a73aaf4201875
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Shortcuts Menu Icons\Monochrome\1\512.png
Filesize10KB
MD5529a0ad2f85dff6370e98e206ecb6ef9
SHA17a4ff97f02962afeca94f1815168f41ba54b0691
SHA25631db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6
SHA512d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2764_1078498477\Shortcuts Menu Icons\Monochrome\0\512.png
Filesize2KB
MD5206fd9669027c437a36fbf7d73657db7
SHA18dee68de4deac72e86bbb28b8e5a915df3b5f3a5
SHA2560d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18
SHA5122c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2
-
Filesize
193KB
MD53c00029b3fc643d3e79ae4dad4df9793
SHA16b2ff3e2697553a8302ef37a8fbaca3983c1b69c
SHA256a7c175aa99da4b812254c9031233908aa008bcd1180670207e2fdcd4e91c38a8
SHA5127ab691477c24737fe3ad6a9c7f69c294c0ffe33b1812d8549f4de90cf677a155aa6558073b24f72baa23c06614e4f856bc2eb985084ab24b1f29b7e489718b41
-
Filesize
193KB
MD57476b044250d9a8e4b9a6e5a3a2ac3a8
SHA1f747377f87f38fb6477fddb78648ced2260911bb
SHA2561bff0525d00e65776391272152b8fc961c8420e2618e65e3a0ae47d343af6814
SHA5129164cb64d8947efe346f1a7215eac157f5706d4d132fe53806b36ea816fb4a4ba7a18abc94fd50d4da6b866230591aeea23b7e9f84b4737ade7ee74da9d24be7
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize9KB
MD5dc5eade3556c3c675aba77260f9b88a8
SHA15cc7034a830785019a458f6bef6bfb35eef6b0ee
SHA2565abe2b3294d4d5a0e6b1dba82571d7752cf23f8099cc393555ab95cb4ca2469a
SHA51211be37c4509267f43083fe680904d59ab37d8b83ba45a32319f900b2442daf7cc0a5f31fabad6a543ee734576a086f64c018541891c4a58cdefbf64bce350f7c
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize9KB
MD56c394f89f6062011d588d11f21b1e38d
SHA1d0368d642a6cabb55e3502c6774cf416b8f4da2b
SHA256ba59fd0937e07f15c9694f549e7034d074195b542f31a174f84a5c0fe7c840c1
SHA5126b3e46fee67bce52a67d588dd789b899e638f2e98672b97725e26c12189b225a75d4b81a49d2bcc15a7c2b966026863d051eaddc62039ac3d42f3cf66c592d62
-
Filesize
280KB
MD541e34a8240026b4e9cd8d81a73ee8b2c
SHA13876b12e152dd552a7059538242b6f87a23e60f5
SHA2560ef2768bdfaa0b953a5c498f18bbf2df5dce249eaf2044474c476c4367c535b5
SHA512a7d610ee4f116121757f47193bf092b639cf2d439dcfa364ea800c28c0f21996fd8baa31c9abe68d2c18cc8f334c57f9d71c4e444a04a27d3b9cab90eecbba73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk.goxp
Filesize3KB
MD526be448befefc08863dd56fd14bb46fc
SHA1ded01440c8882d82ea127038bb17c002656f3f24
SHA25690f4e1d75b0a7d5295ec249b33779eb4d4ac2e04c92e4e0a50f8277b37df172c
SHA512e5b9a96cbb1581d4880d3b3b0aa3643b73d53112ef03f659425d6c18eb2453acf6c8ce26b2443677cd33f8496cc563d39b323a06bfb37d76b3fbba02db4a7ed6
-
Filesize
642B
MD5072e26ca8a9c9502061d1c3d9e3bbeaa
SHA1fe55bffddd0d415c293e8e926d302e3586212322
SHA256f7b22500b7a82a9446b635353aceecbdc205c9208eeb72c2e2c1b6d0a9a1bd62
SHA5122bc83902a56df2a3178c3b59ad8014a08b282e60289123a10d9a4d643a604876e008e782a6c861bfd211580a5fdbb1bcf748c3197210d71dc18d8949c62d4610