Analysis
-
max time kernel
159s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2023 12:31
Static task
static1
Behavioral task
behavioral1
Sample
Project_1650464.msi
Resource
win7-20230831-en
General
-
Target
Project_1650464.msi
-
Size
1.8MB
-
MD5
247a8cc39384e93d258360a11381000f
-
SHA1
23893f035f8564dfea5030b9fdd54120d96072bb
-
SHA256
6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
-
SHA512
336eca9569c0072e92ce16743f47ba9d6be06390a196f8e81654d6a42642ff5c99e423bfed00a8396bb0b037d5b54df8c3bde53757646e7e1a204f3be271c998
-
SSDEEP
24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX
Malware Config
Extracted
darkgate
http://80.66.88.145
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
Autoit3.exeAcroRd32Info.exedescription pid process target process PID 1176 created 936 1176 Autoit3.exe msiexec.exe PID 460 created 3608 460 AcroRd32Info.exe StartMenuExperienceHost.exe PID 460 created 2388 460 AcroRd32Info.exe svchost.exe -
Drops startup file 1 IoCs
Processes:
AcroRd32Info.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hdfdaed.lnk AcroRd32Info.exe -
Executes dropped EXE 1 IoCs
Processes:
Autoit3.exepid process 1176 Autoit3.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 2528 MsiExec.exe 2528 MsiExec.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
ICACLS.EXEICACLS.EXEpid process 5000 ICACLS.EXE 1704 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exeEXPAND.EXEdescription ioc process File created C:\Windows\Installer\e597f38.msi msiexec.exe File opened for modification C:\Windows\Installer\e597f38.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSIAC06.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{229FD164-E132-4ADB-8998-1DB40BF25484} msiexec.exe File opened for modification C:\Windows\Installer\MSI819A.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSIAC65.tmp msiexec.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2544 5016 WerFault.exe VSTOInstaller.exe 548 5016 WerFault.exe VSTOInstaller.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d6f92995d065bd40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d6f92990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d6f9299000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d6f9299000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d6f929900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32Info.exemsinfo32.exeAutoit3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AcroRd32Info.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msinfo32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32Info.exe -
Modifies registry class 1 IoCs
Processes:
StartMenuExperienceHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msiexec.exeAutoit3.exeAcroRd32Info.exemsinfo32.exepid process 1528 msiexec.exe 1528 msiexec.exe 1176 Autoit3.exe 1176 Autoit3.exe 1176 Autoit3.exe 1176 Autoit3.exe 460 AcroRd32Info.exe 460 AcroRd32Info.exe 460 AcroRd32Info.exe 460 AcroRd32Info.exe 460 AcroRd32Info.exe 460 AcroRd32Info.exe 5748 msinfo32.exe 5748 msinfo32.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 936 msiexec.exe Token: SeIncreaseQuotaPrivilege 936 msiexec.exe Token: SeSecurityPrivilege 1528 msiexec.exe Token: SeCreateTokenPrivilege 936 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 936 msiexec.exe Token: SeLockMemoryPrivilege 936 msiexec.exe Token: SeIncreaseQuotaPrivilege 936 msiexec.exe Token: SeMachineAccountPrivilege 936 msiexec.exe Token: SeTcbPrivilege 936 msiexec.exe Token: SeSecurityPrivilege 936 msiexec.exe Token: SeTakeOwnershipPrivilege 936 msiexec.exe Token: SeLoadDriverPrivilege 936 msiexec.exe Token: SeSystemProfilePrivilege 936 msiexec.exe Token: SeSystemtimePrivilege 936 msiexec.exe Token: SeProfSingleProcessPrivilege 936 msiexec.exe Token: SeIncBasePriorityPrivilege 936 msiexec.exe Token: SeCreatePagefilePrivilege 936 msiexec.exe Token: SeCreatePermanentPrivilege 936 msiexec.exe Token: SeBackupPrivilege 936 msiexec.exe Token: SeRestorePrivilege 936 msiexec.exe Token: SeShutdownPrivilege 936 msiexec.exe Token: SeDebugPrivilege 936 msiexec.exe Token: SeAuditPrivilege 936 msiexec.exe Token: SeSystemEnvironmentPrivilege 936 msiexec.exe Token: SeChangeNotifyPrivilege 936 msiexec.exe Token: SeRemoteShutdownPrivilege 936 msiexec.exe Token: SeUndockPrivilege 936 msiexec.exe Token: SeSyncAgentPrivilege 936 msiexec.exe Token: SeEnableDelegationPrivilege 936 msiexec.exe Token: SeManageVolumePrivilege 936 msiexec.exe Token: SeImpersonatePrivilege 936 msiexec.exe Token: SeCreateGlobalPrivilege 936 msiexec.exe Token: SeBackupPrivilege 4728 vssvc.exe Token: SeRestorePrivilege 4728 vssvc.exe Token: SeAuditPrivilege 4728 vssvc.exe Token: SeBackupPrivilege 1528 msiexec.exe Token: SeRestorePrivilege 1528 msiexec.exe Token: SeRestorePrivilege 1528 msiexec.exe Token: SeTakeOwnershipPrivilege 1528 msiexec.exe Token: SeRestorePrivilege 1528 msiexec.exe Token: SeTakeOwnershipPrivilege 1528 msiexec.exe Token: SeRestorePrivilege 1528 msiexec.exe Token: SeTakeOwnershipPrivilege 1528 msiexec.exe Token: SeBackupPrivilege 4160 srtasks.exe Token: SeRestorePrivilege 4160 srtasks.exe Token: SeSecurityPrivilege 4160 srtasks.exe Token: SeTakeOwnershipPrivilege 4160 srtasks.exe Token: SeRestorePrivilege 1528 msiexec.exe Token: SeTakeOwnershipPrivilege 1528 msiexec.exe Token: SeBackupPrivilege 4160 srtasks.exe Token: SeRestorePrivilege 4160 srtasks.exe Token: SeSecurityPrivilege 4160 srtasks.exe Token: SeTakeOwnershipPrivilege 4160 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 936 msiexec.exe 936 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 5272 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.exeAutoit3.exedescription pid process target process PID 1528 wrote to memory of 4160 1528 msiexec.exe srtasks.exe PID 1528 wrote to memory of 4160 1528 msiexec.exe srtasks.exe PID 1528 wrote to memory of 2528 1528 msiexec.exe MsiExec.exe PID 1528 wrote to memory of 2528 1528 msiexec.exe MsiExec.exe PID 1528 wrote to memory of 2528 1528 msiexec.exe MsiExec.exe PID 2528 wrote to memory of 5000 2528 MsiExec.exe ICACLS.EXE PID 2528 wrote to memory of 5000 2528 MsiExec.exe ICACLS.EXE PID 2528 wrote to memory of 5000 2528 MsiExec.exe ICACLS.EXE PID 2528 wrote to memory of 3232 2528 MsiExec.exe EXPAND.EXE PID 2528 wrote to memory of 3232 2528 MsiExec.exe EXPAND.EXE PID 2528 wrote to memory of 3232 2528 MsiExec.exe EXPAND.EXE PID 2528 wrote to memory of 1176 2528 MsiExec.exe Autoit3.exe PID 2528 wrote to memory of 1176 2528 MsiExec.exe Autoit3.exe PID 2528 wrote to memory of 1176 2528 MsiExec.exe Autoit3.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe PID 1176 wrote to memory of 460 1176 Autoit3.exe AcroRd32Info.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3608
-
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"2⤵PID:5016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 4843⤵
- Program crash
PID:2544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 5043⤵
- Program crash
PID:548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2388
-
C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5748
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Project_1650464.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:936 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:460
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EDC7550A3E1FBC04D3EDA32DC368D7C92⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:5000 -
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\files\Autoit3.exe"C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\files\Autoit3.exe" UGtZgHHT.au33⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:1704
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5016 -ip 50161⤵PID:5096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5016 -ip 50161⤵PID:4100
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
129B
MD5eadd9f3b0e30bdbbc9b5d037a6860574
SHA16cb87b57ca2ccd354f0af1fd195073e4b79a7cfd
SHA2565cb85c9ae751aa436ae6f09dcb2bd2981af741e708812169dc3ad82394d33b09
SHA512d872772c59d3d96b7637ffcd370144dd984d4957c337c5d142b59899ed9a09fab625ba83d606c5d9bda68e0c74c74a1267382d59257b18332eb042ebdf54e899
-
Filesize
129B
MD5eadd9f3b0e30bdbbc9b5d037a6860574
SHA16cb87b57ca2ccd354f0af1fd195073e4b79a7cfd
SHA2565cb85c9ae751aa436ae6f09dcb2bd2981af741e708812169dc3ad82394d33b09
SHA512d872772c59d3d96b7637ffcd370144dd984d4957c337c5d142b59899ed9a09fab625ba83d606c5d9bda68e0c74c74a1267382d59257b18332eb042ebdf54e899
-
Filesize
764KB
MD56c3101a2e121e2735478ce95d667884a
SHA153b0cba2b3646b0564dca59a7a544aac0b94b599
SHA2560e20531dc60c23dc5a8accdb47f00f56fa706b0507cd46534b902b6d5597c4aa
SHA51200d4fe88e989b563fccf194357fa5e9ab1a4d9ca23e0898b4cd6d8010d189ce356f9ad8472d8ec97df3e2301d74febed727c1b0341e52a92862a9cc23d2e0cc5
-
Filesize
764KB
MD56c3101a2e121e2735478ce95d667884a
SHA153b0cba2b3646b0564dca59a7a544aac0b94b599
SHA2560e20531dc60c23dc5a8accdb47f00f56fa706b0507cd46534b902b6d5597c4aa
SHA51200d4fe88e989b563fccf194357fa5e9ab1a4d9ca23e0898b4cd6d8010d189ce356f9ad8472d8ec97df3e2301d74febed727c1b0341e52a92862a9cc23d2e0cc5
-
Filesize
1.6MB
MD5e7c3b16ed93b760546ae6756b12644da
SHA199b3b1af70b45b4b815a814f61f9b6e509cd3bb6
SHA256659733a584c52078ac6b568dfb34a089bef2b3835a5ea737d32c1623a468b743
SHA512b6eeaaeeb1f7c8335076075bc8033d5d4744544f3937eeaddcbef5f7ba257a64c20a47f8388c1e8f10c5821da8abe0683be8fd60c3e1a9aea25e4a705e2f8b41
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
757KB
MD51b524d03b27b94906c1a87b207e08179
SHA18fbad6275708a69b764992b05126e053134fb9e9
SHA2561af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622
SHA5121e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e
-
Filesize
1KB
MD5d7208ed75080378fb21b537cf811f691
SHA1476ac437a83410697a023d7ad3e2ef9d7f3c99db
SHA2565804f9c9caafb8678bb649c9b55532a3c4da500732012f65dd4fa859766cfa22
SHA51283879b10d0e51dc8b54476c177944b31713cbf586e733d7f4bd4e45cff22414b4e2764dfca39745e610bb284248dee81c7797949293081ce3e313f4163484365
-
Filesize
1KB
MD5da1af45f139100022a2f4853a05d41d5
SHA1d33d2a120ba68d8722c23ab5378e24a4e5ca4172
SHA256cda00d5bd9bfdc1391f2c09fe049f8d22ebaabf88c0aa0a725f89511d363920b
SHA51206f8f4f5cdbeac7a4ce92baf3ab9dfd9b2d683be9e6691792f2e9e12fc05fe2ac3b5b0045811df5220db98d71e518c2780b135dcd2317270c764f5233c7ecc7f
-
Filesize
1KB
MD5da1af45f139100022a2f4853a05d41d5
SHA1d33d2a120ba68d8722c23ab5378e24a4e5ca4172
SHA256cda00d5bd9bfdc1391f2c09fe049f8d22ebaabf88c0aa0a725f89511d363920b
SHA51206f8f4f5cdbeac7a4ce92baf3ab9dfd9b2d683be9e6691792f2e9e12fc05fe2ac3b5b0045811df5220db98d71e518c2780b135dcd2317270c764f5233c7ecc7f
-
Filesize
1KB
MD58104ee8b8e2fe8c206b20b02e101a728
SHA12e30186e0b38c9040d00e67169d8867c77a2d5d5
SHA256a14d58e46ae9298efcfa4788eeb607573aba894f8224938557eb7f310d806065
SHA5126ec611ca5b3dbc5a6881654b581a5ac12c32e8cf41d8e416c70a8fc367495beb8e7b566164190b83de9564b774d1ff8d8c28b72b7121a5a8abb9df9773cf287d
-
Filesize
647B
MD5431c86574e3d82b9e26573e21afcbd51
SHA1b74477a31bb7d4a52049d2c47d23a420a092acde
SHA256f37837904209f12f45a646151526ce3471b652c73ffdd3f8b3c35215c354fa19
SHA51262d3bf289a01e03be954934f3010711ef835a14d970926f53ee26751616257d451e3f39a50d1d943bb2f269f06b953b930ba1ad1736f5e98a1c63e373709bf1b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
23.0MB
MD5d6697a016c56c8c762cc5930c20efb37
SHA13af56e7229d9554adcadfd3e0609ecdbc27d67ae
SHA256f7ec730b426537ad153ae72e4c810f9273d19c308eeae822fbccd75d6f0e6659
SHA512b4caf542cbcf9b12ecb2aefa28662c16d6013dcb39d2e67828bde4ebea22785f2e6101216b497a1e0da9a35fbeacc7238d0a22b61b492007294764f55adb24eb
-
\??\Volume{99926f1d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dba90611-9a4b-4d0f-b13a-0e578c8efbb4}_OnDiskSnapshotProp
Filesize5KB
MD5346356f0a19ca654c271e81f1753db81
SHA1a927a9db7c6692262d589d000f0521ae8c4d1610
SHA2567e4d4d3022cb1d8f0c06a204c549edec3581d0e2ec218a80a2d50513141875dd
SHA512037a97d3ca0f111866e75a9c407c1fe9efd5cfd9cda21d8bef9daa0cb013ecd3ccbb5d73bb9b7f951b5e9dc66033b5bd65765ff7c1ae167284ee0d5e70ae46c4
-
Filesize
757KB
MD51b524d03b27b94906c1a87b207e08179
SHA18fbad6275708a69b764992b05126e053134fb9e9
SHA2561af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622
SHA5121e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e