370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd

General

Target

windirstat1_1_2_setup.exe
Size

630KB
MD5

3abf1c149873e25d4e266225fbf37cbf
SHA1

6fa92dd2ca691c11dfbfc0a239e34369897a7fab
SHA256

370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd
SHA512

b6d9672a580a02299bc370deb1fd99b5ca10ab86456385870cdae522c185ae51f8d390a7c50fcb5c7898523f52c834bb73515ffc6d0b0bcde210640e815ece9e
SSDEEP

12288:yCjeMsiGVBKvjxTNlZaLlcMj+wXZvQpd9nP2+ZMU2tYspZcMwr/GNd35:yCjeTZa7BTsxewXZUTP2HU2yawjY5

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 5 IoCs

Processes:

windirstat1_1_2_setup.exe

pid	process
1896	windirstat1_1_2_setup.exe
1896	windirstat1_1_2_setup.exe
1896	windirstat1_1_2_setup.exe
1896	windirstat1_1_2_setup.exe
1896	windirstat1_1_2_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

windirstat1_1_2_setup.exe

description	ioc	process
File created	C:\Program Files (x86)\WinDirStat\Uninstall.exe	windirstat1_1_2_setup.exe
File created	C:\Program Files (x86)\WinDirStat\windirstat.exe	windirstat1_1_2_setup.exe
File created	C:\Program Files (x86)\WinDirStat\windirstat.chm	windirstat1_1_2_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
\Program Files (x86)\WinDirStat\Uninstall.exe	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid process

1040 chrome.exe
1692 chrome.exe
1692 chrome.exe
1692 chrome.exe
1692 chrome.exe
2444 chrome.exe

pid	process
1040	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
2444	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

chrome.exe

pid	process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1692 wrote to memory of 1352	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1352	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1352	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1924	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1040	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1040	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1040	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1524	1692	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe
"C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:1896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a44f50,0x7fef6a44f60,0x7fef6a44f70
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1048 /prefetch:2
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
2⤵
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3324 /prefetch:2
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3532 /prefetch:8
2⤵
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3888 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3876 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3856 /prefetch:8
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
2⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
2⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=108 /prefetch:8
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3320 /prefetch:8
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
2⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5272 /prefetch:8
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5336 /prefetch:8
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5288 /prefetch:8
2⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:8
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1020,508896930584818206,9089511386934131041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\crashpad_1692_AUDWQOZDKBGQFBUL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\WinDirStat\Uninstall.exe
Filesize
46KB

MD5
a127e6118b9dd2f9d5a7cc4d697a0105

SHA1
9ac17d4dcf0884ceafacf10c42209c0942dfe7a8

SHA256
afc864cfce79b2a6add491a27ea672d958233ed7a97a2cbbce60100d2fa1e670

SHA512
0e57d2856c02c55d477d9b3cc1d4bf5ffa3650d4b20be18b0a9e614d19143aee325c4cd92ff31bbddf6e93cd3ebeb47d8727de6e25faa366341cc71117122065

Download Submit
\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
\Users\Admin\AppData\Local\Temp\nst63B.tmp\System.dll
Filesize
10KB

MD5
4125926391466fdbe8a4730f2374b033

SHA1
fdd23034ada72d2537939ac6755d7f7c0e9b3f0e

SHA256
6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5

SHA512
32a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008

Download Submit
\Users\Admin\AppData\Local\Temp\nst63B.tmp\System.dll
Filesize
10KB

MD5
4125926391466fdbe8a4730f2374b033

SHA1
fdd23034ada72d2537939ac6755d7f7c0e9b3f0e

SHA256
6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5

SHA512
32a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008

Download Submit
memory/1896-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads