370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd

Analysis

max time kernel
115s
max time network
108s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-01-2023 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windirstat1_1_2_setup.exe
Size

630KB
MD5

3abf1c149873e25d4e266225fbf37cbf
SHA1

6fa92dd2ca691c11dfbfc0a239e34369897a7fab
SHA256

370a27a30ee57247faddeb1f99a83933247e07c8760a07ed82e451e1cb5e5cdd
SHA512

b6d9672a580a02299bc370deb1fd99b5ca10ab86456385870cdae522c185ae51f8d390a7c50fcb5c7898523f52c834bb73515ffc6d0b0bcde210640e815ece9e
SSDEEP

12288:yCjeMsiGVBKvjxTNlZaLlcMj+wXZvQpd9nP2+ZMU2tYspZcMwr/GNd35:yCjeTZa7BTsxewXZUTP2HU2yawjY5

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

windirstat.exe

pid process

852 windirstat.exe

pid	process
852	windirstat.exe

Loads dropped DLL 11 IoCs

Processes:

windirstat1_1_2_setup.exewindirstat.exe

pid	process
1992	windirstat1_1_2_setup.exe
1992	windirstat1_1_2_setup.exe
1992	windirstat1_1_2_setup.exe
1992	windirstat1_1_2_setup.exe
1992	windirstat1_1_2_setup.exe
1992	windirstat1_1_2_setup.exe
1992	windirstat1_1_2_setup.exe
1992	windirstat1_1_2_setup.exe
852	windirstat.exe
852	windirstat.exe
852	windirstat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

windirstat.exe

description ioc process

File opened (read-only) \??\D: windirstat.exe

description	ioc	process
File opened (read-only)	\??\D:	windirstat.exe

Drops file in Program Files directory 4 IoCs

Processes:

windirstat1_1_2_setup.exe

description	ioc	process
File created	C:\Program Files (x86)\WinDirStat\windirstat.exe	windirstat1_1_2_setup.exe
File created	C:\Program Files (x86)\WinDirStat\wdsr040a.dll	windirstat1_1_2_setup.exe
File created	C:\Program Files (x86)\WinDirStat\windirstat.chm	windirstat1_1_2_setup.exe
File created	C:\Program Files (x86)\WinDirStat\Uninstall.exe	windirstat1_1_2_setup.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Program Files (x86)\WinDirStat\Uninstall.exe	nsis_installer_1
C:\Program Files (x86)\WinDirStat\Uninstall.exe	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

vlc.exevlc.exe

pid process

2224 vlc.exe
2552 vlc.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exechrome.exe

pid process

1716 chrome.exe
1948 chrome.exe
1948 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

windirstat.exevlc.exevlc.exe

pid process

852 windirstat.exe
2224 vlc.exe
2552 vlc.exe

pid	process
2224	vlc.exe
2552	vlc.exe

pid	process
1716	chrome.exe
1948	chrome.exe
1948	chrome.exe

pid	process
852	windirstat.exe
2224	vlc.exe
2552	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

windirstat1_1_2_setup.exewindirstat.exe

description	pid	process
Token: SeRestorePrivilege	1992	windirstat1_1_2_setup.exe
Token: SeBackupPrivilege	1992	windirstat1_1_2_setup.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe
Token: SeBackupPrivilege	852	windirstat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exevlc.exevlc.exe

pid	process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exevlc.exevlc.exe

pid	process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe
2552	vlc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

windirstat.exevlc.exemspaint.exevlc.exe

pid process

852 windirstat.exe
852 windirstat.exe
852 windirstat.exe
2224 vlc.exe
2456 mspaint.exe
2456 mspaint.exe
2456 mspaint.exe
2456 mspaint.exe
2552 vlc.exe

pid	process
852	windirstat.exe
852	windirstat.exe
852	windirstat.exe
2224	vlc.exe
2456	mspaint.exe
2456	mspaint.exe
2456	mspaint.exe
2456	mspaint.exe
2552	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

windirstat1_1_2_setup.exechrome.exe

description	pid	process	target process
PID 1992 wrote to memory of 852	1992	windirstat1_1_2_setup.exe	windirstat.exe
PID 1992 wrote to memory of 852	1992	windirstat1_1_2_setup.exe	windirstat.exe
PID 1992 wrote to memory of 852	1992	windirstat1_1_2_setup.exe	windirstat.exe
PID 1992 wrote to memory of 852	1992	windirstat1_1_2_setup.exe	windirstat.exe
PID 1992 wrote to memory of 852	1992	windirstat1_1_2_setup.exe	windirstat.exe
PID 1992 wrote to memory of 852	1992	windirstat1_1_2_setup.exe	windirstat.exe
PID 1992 wrote to memory of 852	1992	windirstat1_1_2_setup.exe	windirstat.exe
PID 1948 wrote to memory of 600	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 600	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 600	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1728	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1716	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1716	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1716	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1616	1948	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe
"C:\Users\Admin\AppData\Local\Temp\windirstat1_1_2_setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Program Files (x86)\WinDirStat\windirstat.exe
"C:\Program Files (x86)\WinDirStat\windirstat.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:852

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70f4f50,0x7fef70f4f60,0x7fef70f4f70
2⤵
PID:600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1088 /prefetch:2
2⤵
PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1672 /prefetch:8
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
2⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
2⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3260 /prefetch:2
2⤵
PID:968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1084 /prefetch:1
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3500 /prefetch:8
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,2345339899499896256,4460060493840197152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:8
2⤵
PID:2132

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditEnter.3gp2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\StepPing.emf"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SplitCompare.avi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnpublishPop.mp3"
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinDirStat\Uninstall.exe
Filesize
46KB

MD5
a127e6118b9dd2f9d5a7cc4d697a0105

SHA1
9ac17d4dcf0884ceafacf10c42209c0942dfe7a8

SHA256
afc864cfce79b2a6add491a27ea672d958233ed7a97a2cbbce60100d2fa1e670

SHA512
0e57d2856c02c55d477d9b3cc1d4bf5ffa3650d4b20be18b0a9e614d19143aee325c4cd92ff31bbddf6e93cd3ebeb47d8727de6e25faa366341cc71117122065

Download Submit
C:\Program Files (x86)\WinDirStat\wdsr040a.dll
Filesize
60KB

MD5
cf69ec4f622ab3efc0d59c94c7861d3c

SHA1
8baa748295cb941e1693e4c2a298343fbfc5c048

SHA256
75ca96992380e5b8e323310a01c8a68805ad76223197d2bdaecc03817d233dea

SHA512
dcc99395fed596e6ef7a959731254093e73fa006a14b0ecbe6f780a9d8236428d9e90024e016d5f1bdbf323e1fe01ffa3727c9d09a8666ef2745dc56462ed6cf

Download Submit
C:\Program Files (x86)\WinDirStat\windirstat.chm
Filesize
50KB

MD5
1bddb8a0e0f9cd90a5b3936ec2c2c4cf

SHA1
c8302168fb532fe03e76cb8a82aa53b49ee0bc44

SHA256
1e87c07744054709d271337d8ce06929429b334d70875605cb68ecc4c6610cd1

SHA512
b857de9026b3eab13f4dbc464e6403835e3a61e5e9e3566735bf1ddd8dedc4ecf08807b27207bd8b385250b71ea234b301dd49e6f3c90f1270ae03868c035472

Download Submit
C:\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
C:\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\Help (ENG).lnk
Filesize
1KB

MD5
ed665ade6cf9288444f19310d7e97279

SHA1
254147db398b3376f4a3676b8a7b19738b688ec4

SHA256
f0e1a753de3214313a8d0a997a9f5029854f555d831acfa47eddb31dee4581ce

SHA512
ca71c3b9fda83c556844ec4043a8fce8a931603a3bb2219dd9b6ca5245b8ce4204f62ec72358424acd8d0cf3cae1bf9e36088079787421e65964ace2ad8784ae

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\Uninstall WinDirStat.lnk
Filesize
1KB

MD5
27a913c952ef79b49a9a5bd1455bea47

SHA1
1ac3d6b89e44c63cb41f58abb4d10218f773266e

SHA256
3a7a731ec48454f037f264a115e7a0ffaaefd1ab72db4da9fcda4a406f17bd2e

SHA512
f13d89dab9b5c6cf5650dd844eae08c82173172e4825785d61c4b05c79c87ce530cc891c013dbaa7339184d3209f4004c85ea9b6a35955a62c125016fece9f8b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat\WinDirStat.lnk
Filesize
1KB

MD5
74502cee51bc2e93a40a073078102372

SHA1
5935e1084d5c691031e51517d829d14579cb3de2

SHA256
e5e00a41680805b3891373920b25ce18e4e229f98f6e68adb49d7404512b9f5a

SHA512
4a90343d1d3589c4527d733a73aec38b345e4bf7a72b8df18e63b3c25ea87d6adfd23e44d6bcd3f51a2a68ee7bbb452673dc1b3d89fdd640f6d0e148713f3918

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf
Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
530B

MD5
401793ebbb24e26f550a37cc2d763015

SHA1
d8ded620114c7c268772491a673f97e7030adce9

SHA256
aef4ad9110d3dc16e5deccd7a72e001ecf9a89815026cd7d867f09b787138b28

SHA512
aa9bdaadd5712ff8fa67819559512593a55d122949635fb543642666f7c515f27f5bb2f33856c01e814315d462c08d45d0595a780352a5eb6ba91e388caee5e6

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc
Filesize
93KB

MD5
478a4a09f4f74e97335cd4d5e9da7ab5

SHA1
3c4f1dc52a293f079095d0b0370428ec8e8f9315

SHA256
884b59950669842f3c45e6da3480cd9a553538b951fb155b435b48ff38683974

SHA512
e96719663cd264132a8e1ea8c3f8a148c778a0c68caa2468ba47629393605b197dd9e00efad91f389de9fcc77b04981a0cf87f785f3c645cdc9e4ebd98060ca1

Download Submit
C:\Users\Admin\Desktop\WinDirStat.lnk
Filesize
1KB

MD5
56ac7a75bebec26ee452db976b9a5496

SHA1
fe993728bb790805bcfb804facef31f254571a1b

SHA256
3749e4c9dbf6bf93f2ea24fe338046c8a95affb130f5cbcf2b4fca58e0a64f48

SHA512
47b2ec604507b523f303c49769304213fc0b12b754788177d5bc3eafd02a42f6b19f7ed8b32a8f5263c4dccbef484719b762b00061cb5d549a1dca6fbcff5275

Download Submit
\??\pipe\crashpad_1948_LSPUGGKBLCBDJLBF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\WinDirStat\Uninstall.exe
Filesize
46KB

MD5
a127e6118b9dd2f9d5a7cc4d697a0105

SHA1
9ac17d4dcf0884ceafacf10c42209c0942dfe7a8

SHA256
afc864cfce79b2a6add491a27ea672d958233ed7a97a2cbbce60100d2fa1e670

SHA512
0e57d2856c02c55d477d9b3cc1d4bf5ffa3650d4b20be18b0a9e614d19143aee325c4cd92ff31bbddf6e93cd3ebeb47d8727de6e25faa366341cc71117122065

Download Submit
\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
\Program Files (x86)\WinDirStat\windirstat.exe
Filesize
636KB

MD5
24cd9a82fcfc658dd3ae7ba25c958ffb

SHA1
26e14a532e1e050eb20755a0b7a5fea99dd80588

SHA256
cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

SHA512
4de675be1f7d618d133ef24765a027840473e0c5bc93550d5e5fdbf078edc74c2241e6e3cd8753517e2954c7f09b9909028de7b727294d723fb5700658c7979d

Download Submit
\Users\Admin\AppData\Local\Temp\nst8F9.tmp\InstallOptions.dll
Filesize
14KB

MD5
9b2ad0546fd834c01a3bdcbfbc95da7d

SHA1
4f92f5a6b269d969ba3340f1c1978d337992a62c

SHA256
7e08cb4ff81dbb0573c672301681e31b2042682e9a2204673f811455f823dd37

SHA512
5b374fe7cc8d6ff8b93cfcc8deae23f2313f8240c998d04d3e65c196b33c7d36a33930ffd481cdd6d30aa4c73dd2a1c6fe43791e9bf10bd71b33321a8e71c6b8

Download Submit
\Users\Admin\AppData\Local\Temp\nst8F9.tmp\System.dll
Filesize
10KB

MD5
4125926391466fdbe8a4730f2374b033

SHA1
fdd23034ada72d2537939ac6755d7f7c0e9b3f0e

SHA256
6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5

SHA512
32a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008

Download Submit
\Users\Admin\AppData\Local\Temp\nst8F9.tmp\System.dll
Filesize
10KB

MD5
4125926391466fdbe8a4730f2374b033

SHA1
fdd23034ada72d2537939ac6755d7f7c0e9b3f0e

SHA256
6692bd93bcd04146831652780c1170da79aa3784c3c070d95fb1580e339de6c5

SHA512
32a1cf96842454b3c3641316ee39051ae024bdce9e88ac236eadad531f2c0a08d46b77d525f7d994c9a5af4cc9a391d30ee92b9ec782b7fb9a42c76f0f52a008

Download Submit
memory/432-74-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/852-63-0x0000000000000000-mapping.dmp

Download
memory/1992-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2456-81-0x000007FEF5FE0000-0x000007FEF602C000-memory.dmp

Filesize
304KB

Download
memory/2456-82-0x000007FEF5FE0000-0x000007FEF602C000-memory.dmp

Filesize
304KB

Download